Employee Privacy Notice
Privacy Notice for Employees & Volunteers
Choices Housing Association 1A King Street, Newcastle-under-Lyme, Staffordshire ST5 1EN (“the Employer”)
Choices Housing Association (“Choices”) is committed to protecting your privacy and complying with the General Data Protection Regulations 2016 (“GDPR”.) We will only collect and process personal data which is proportionate and necessary in relation to your employment, and we will not keep it for longer than is necessary. We will ensure that we have appropriate technological and organisational measures in place to keep the personal data we hold secure.
Choices is registered with the Information Commissioner’s Office (“ICO”) as a data controller for the purposes of GDPR, and the Group Head of ICT is registered as the Data Protection Officer.
Under the terms of the GDPR you have the right to be informed about the personal information we collect, what we use it for, who we share it with and how long we keep it, and this is set out below.
In order to comply with our contractual, statutory, and management obligations and responsibilities we are required to process personal data relating to current, past and prospective employees, including sensitive personal data – this includes information relating to health, racial or ethnic origin, trade union membership and criminal convictions. This information is initially provided to us through an application for employment and is added to over the course of employment.
We will keep and use the personal data of employees to run the business, and manage our relationship with employees effectively, lawfully and appropriately, during the recruitment process, whilst employed by Choices, when the employment ends, and after the employee has left.
This policy sets out the lawful bases by which Choices collects, uses, retains and discloses the personal data of employees, as well as your rights in respect of such personal data.
Lawful Bases for processing personal data (including special category data) under Article 6 GDPR
The Performance of the Employment Contract
It will be necessary for us to collect, process and disclose your personal data for the performance of the employment contract, or in order to take steps prior to entering into the employment contract. Examples of the personal data processed in order for us to meet our contractual responsibilities include (but is not limited to)data relating to: payroll; bank account; postal address; sick pay; leave; maternity pay; parental leave; pension; and emergency contacts.
Choices’ statutory responsibilities are imposed by legislation, and the personal data we process in order to for us to meet those responsibilities include (but is not limited to)data relating to: the Right to Work; tax; national insurance; statutory sick pay; statutory maternity pay, and Health and Safety.
We must also comply with the requirements of the Care Quality Commission (“the CQC”) our Regulator, to process the personal information of our employees. This includes a requirement for all employees to complete a DBS check every three years.
In certain circumstances we may ask for an employee’s consent to obtain, use and disclose certain personal data, including sensitive personal data. For example, to provide a reference or information required by a mortgage lender, or to offer a voluntary benefit as part of an employee’s overall remuneration package. A record of such consent will be retained on the employee’s personal file. An employee has the right to withdraw consent to the processing of personal data, and can exercise this right by contacting the HR Team.
Choices will collect, process and disclose personal data where it has a legitimate interest to do so. This means in circumstances where it is both necessary and proportionate to do so for the functioning of the organisation, and where the requirement for processing outweighs the general privacy rights that employees have. Examples of such circumstances include (but are not limited to): to prevent fraud; to protect Choices’ legal position in the event of legal proceedings; health and safety matters; and, disciplinary matters; and, training and development.
Lawful Bases for processing special category data under Article 9 GDPR
Where we processes ‘special category’ data, which includes information in relation to an employee’s race, ethnic origin, political beliefs, religion, trade union membership, genetics, biometrics, health and sexuality we must establish an additional lawful basis for processing, as this personal data is more sensitive and needs additional protection.
Choices will collect, process and disclose special category data where:
– The employee has given explicit consent to the processing of personal data for one or more specified purpose;
– It is necessary for the purposes of performing or exercising the obligations or rights of Choices or employee in the field of employment law;
– It is necessary for the purposes of preventative or occupational medicine for assessing the working capacity of the employee;
– The processing is necessary for establishing, exercising or defending legal claims, or in accordance with a court order;
– It is necessary to protect the vital interests of the employee or another individual where they are physically or legally incapable of giving consent;
– It is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services;
Lawful Basis for processing special category data under Article 10 GDPR
Article 10 applies to data relating to criminal convictions and offences, which includes alleged offences, court proceedings and sentencing.
We will collect, process, and disclose data relating to criminal convictions where:
– We have identified a lawful basis for processing under Article 6 as detailed above, and;
– The employee has given consent to the processing of their personal data for one or more specific purposes – the employee has the right to decline to provide consent and, if consent is provided, to withdraw it at any time by contacting the HR Team;
– The processing is necessary to protect the vital interests of an individual, for example, in emergency situations or where a safeguarding issue has been identified, or;
– Where the processing relates to personal data which has been made public by the employee, or;
– The processing is necessary: for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings); obtaining legal advice; or otherwise necessary for the establishing, exercising, or defending of legal rights, or;
– Processing is necessary when a court is acting in its judicial capacity.
However, it is a mandatory regulatory requirement that all employees engaged in the regulated activity of providing care have a completed DBS check every three years, and they will be unable to work until it is completed.
What personal data does Choices ask for and why?
We will not collect more data than is needed in order to recruit and we will not keep it longer than is necessary. The data asked for will be used to assess your suitability for employment. You don’t have to provide the data you are asked for, but it may affect your application if you don’t.
Application & shortlisting stage
Applications for employment are submitted electronically via Total Jobs. We also use employment agencies to fill vacancies when necessary. The recruiting manager, their Performance Compliance Manager, and the HR team will have access to the information received. Applicants are required to provide personal data including: name; contact details; previous experience; education; referees; answers to questions relevant to the role applied for; past criminal convictions and an appropriate DBS check where the specific post requires it; and, equal opportunities data (there is no obligation to provide this.)
It is a regulatory requirement for care providers such as Choices that all applicants must also complete a health questionnaire and disclose any existing medical conditions.
All the information provided during the recruitment process will only be used for the purpose of progressing the application, or to fulfil legal or regulatory requirements if necessary.
Choices will not share any of the information provided during the recruitment process with any third party for marketing purposes, and we will not store any of the information outside the European Economic Area.
Choices will use the contact details provided to contact the applicant to progress their application. The other information provided will be used to assess the applicant’s suitability for the role applied for.
Certain roles require that we contact referees immediately once an applicant has been shortlisted for the vacancy, and applicants will be advised of this prior to completing the application.
Equal Opportunities Monitoring.
We ask applicants to complete a selection of tick boxes to confirm their: Gender; Sexuality; Age range; Ethnicity; Nationality, Religion; and whether they have a disability. This data is collated and the statistics are used to ensure that we operate a non-discriminatory recruitment processes. This information also helps us to see who we are attracting to our vacancies, and to see if we have a diverse work force. The statistics collected do not reveal the person’s identity as we do not record that for these purposes.
We may ask an applicant to attend an interview, participate in an assessment day, and/or complete tests. Any information generated by assessments will be held by the Choices. Unsuccessful candidates may be asked for their express consent for their details to be retained securely in a ‘talent pool’ for six months so that we are able to contact them should a further suitable vacancy arise.
If we make a conditional offer, the applicant will be asked to provide further information so that the required pre-employment checks can be carried out. If the applicant has declared a medical condition on their completed application they must complete a Personal Health Declaration (as required by the CQC) which will help to determine if they are fit to undertake the work offered, or to advise if any reasonable adjustments are needed to the work environment or systems so that the applicant may work more effectively. The completed questionnaire is confidential and only seen by the Occupational Health Provider who will then advise us if any reasonable adjustments are required and what those adjustments are. Any report received from the Occupational Health Provider will be retained on the employee’s personal file.
We are under a legal obligation to confirm the identity of our employees, their right to work in the UK, and to seek assurance of their integrity and reliability. Applicants are, therefore required to provide the following: proof of identity; proof of qualifications; declaration of any unspent criminal convictions; an enhanced DBS check (required as the provision of care is regulated activity); and, contact details for referees.
Copies of the relevant documents will be taken and retained appropriately.
If we make a final offer, the applicant will be asked to provide: their bank details to process payment; emergency contact details; and, existing pension arrangements (if any).
How we make decisions about recruitment
Final recruitment decisions are taken by the recruiting manager, and the HR Team when necessary, on the basis of all the information collected during the recruitment process.
Applicants are able to obtain feedback on their application by contacting the recruiting manager.
How long is the information retained for?
We will only keep the information provided during the application process for as long as is necessary in order to comply with our statutory and regulatory requirements.
What personal data will Choices hold and why?
The information (including personal data and sensitive personal data) held by Choices regarding an employee will be added to over the course of their employment in the performance of the employment contract. This information will include (but is not limited to): the contract of employment and any amendments to it; correspondence with or about the employee; with the employee’s consent, a letter to a mortgage company confirming salary; information needed for payroll, benefits and expenses purposes; contact and emergency contact details; records of holiday, sickness and other absence; records relating to career history including, appraisals and other performance measures; trade union membership; and, where necessary, disciplinary and grievance records.
The CQC requires that all care staff undertake compulsory role specific training periodically, and the training records will kept electronically and can be accessed by the relevant manager and the HR Team.
We may where necessary obtain and retain an employee’s health records, including GP records and notes. This data will be used in order to comply with health and safety and occupational health obligations, and to consider how an employee’s health may affect their ability to do their job and whether any adjustments may be appropriate. This data is also necessary to administer and manage statutory and company sick pay.
We may also take and retain photographs of the employee for use in internal communications, for the purposes of identification and security and, with consent marketing and press releases. Employees’ images may also be captured by CCTV systems installed at various locations – please refer to the CCTV Policy & Procedure.
We will hold all employee data securely in either individual electronic or paper employee files, and access will be limited to the employee’s line manager, relevant operational manager and the HR Team. In addition, it is a requirement of the CQC that any staff file is immediately available for them to view if requested.
It is also a CQC requirement that all night workers undergo a medical assessment which must be updated annually. The results are held securely on the employee’s file both at the scheme where they are employed, and centrally by the HR Team.
When will Choices share or disclose employee personal data?
In order to fulfil our statutory, regulatory and contractual requirements, we may need to share an employee’s personal data with an external third party, or one or more colleagues. However, the amount of personal information we share will be no more than is reasonably necessary.
We will display an employee’s name, job title, webmail address and contact number on Intranet contact pages.
Relevant employee information will be provided to our external providers of payroll services. This will include the employee’s name, bank details, address, date of birth, National Insurance Number, employee benefits received/purchased and salary. Relevant information will also be provided to pension scheme administrators and will include the employees name, date of birth, National Insurance Number and salary.
We may share an employee’s personal data (including sensitive personal data) with external third parties without the employee’s consent where: the disclosure is in the legitimate interests of Choices; there is a statutory duty to share the data; disclosure is required for the performance of a contract; disclosure is necessary to protect the vital interests of the employee; disclosure is made to assist the prevention or detection of crime, or the apprehension or prosecution of offenders; disclosure is required by a Court Order; disclosure is necessary for Choices to obtain legal or other professional advice.
In certain circumstances we will share sensitive employee data with work colleagues within Choices and the Wrekin Housing Group without consent where it is necessary to: protect the employee’s vital interests and the employee cannot give consent or consent cannot be reasonably obtained; to protect another person’s vital interest and the employee has unreasonably withheld their consent; for the discharge of any function designed for the provision of confidential counselling, advice support or any other service; the employee’s consent cannot be given; we cannot reasonably obtain the employee’s explicit consent, or requiring the employee’s explicit consent would prejudice the provision of that counselling, advice, support or other service; to meet a statutory or regulatory obligation; for the purpose of prevention or detection of crime or the apprehension and prosecution of offenders; pursuant to a court order requiring disclosure.
We may transfer information about employees to other members of the Wrekin Housing Group for purposes connected with their employment or the management of Choices’ business, and to external training providers.
Where we disclose employee personal data to external third parties (other than the Wrekin Housing Group), we will ensure that a confidentiality agreement is entered into and that it is satisfied that the third party will comply with its requirements under the GDPR
We use software devices to monitor both inbound and outbound emails for suspicious or inappropriate content, for example viruses or phishing, and obscene or illegal content, which may result in some emails being quarantined to ensure they dos not pose a risk to our systems.
A Manager may ask for delegated access to an employee’s email, and/or ask if an employee has received an email from a particular person. The ICT Team can access the employee’s email to confirm.
Similarly, our servers monitor the internet and bans certain content which is deemed to pose a security risk. Managers can also request confirmation from the ICT team of staff’s usage of the internet
We regularly receive requests for work experience from schools and colleges, and we will accommodate these requests where possible. When we have a work experience student we record: the school or college they attend; their name, address and telephone number; location of placement within the organisation; and, the emergency contact details. This information is held in a paper file for the duration of the placement. Upon completion of the placement the documentation is returned to the relevant college provider
Volunteers complete a basic application form, together with a DBS check, and we record: their name; address; telephone number; and emergency contact details. This information is held securely electronically for 12 months following the end of the placement and is then deleted.
The rights of future, current and former employees as data subjects, are extended under the GDPR, and are detailed below.
The right to access (known as subject access requests)
Employees have the right to obtain a copy or to view the personal information held about them by Choices. The request must be made in writing to the HR team, who will have one calendar month to provide a copy of the information free of charge. Please refer to the Subject Access Request.
The right of portability
Employees have the right to request the automated personal information provided by them to Choices be provided to them (or a third party) in a machine readable portable format free of charge so that it can be reused by the employee.
The right of erasure (the right to be forgotten)
Employees have the right to request for the removal or erasure of personal data, for example, if it is no longer necessary, the employee objects to the processing and/or the individual has withdrawn consent. This will not apply to all personal data held by Choices, but where it does apply and where the personal data has been disclosed to a third party, we will ensure that the third party is asked to delete the data. All such requests must be made in writing to the HR team.
The right to request rectification
The employee has the right to obtain the rectification of personal data where it is inaccurate, or to have incomplete personal data completed. Where the personal data has been disclosed to a third party, we will ensure that the third party is asked to rectify the personal data. All such requests must be made in writing to the HR team.
The right to restrict processing
An employee has the right to restrict processing of their personal data and where this right is exercised, we will only be allowed to store it. However, this right only arises in certain circumstances, for example: where the employee disputes the accuracy of the personal data, the processing of it will be restricted until it is rectified; where the employee has objected to the processing, the processing will be restricted until it’s determined whether Choices’ legitimate grounds override those of the employee’s; where we no longer need the personal information, but the employee requires it in connection with legal proceedings; and, where the processing is unlawful, but the employee has refused erasure.
The right to object
Employees have the right to object to Choices processing their personal information where the processing is based on a legitimate interest, or for the purposes of direct marketing. We will stop processing the employee’s personal data unless we can demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the employee, or where the processing is for the establishment, defence or exercise of legal claims.
The right to complain
Employees have the right to complain to the ICO if they aren’t satisfied with the way Choices has processed their personal information. The Information Commissioner can be contacted on 0303 123 1113 or has a useful website at www.ico.org.uk
When your employment ends
Choices will comply with all statutory and regulatory requirements relating to the retention of employee information.
Changes to our Employee Privacy Notice
This Privacy Notice may change from time to time, and we will display any updated notice in the Employee Handbook.