Information Privacy Notice
Everyone working for the Trust has a legal duty to keep personal information confidential, which includes that of staff members
This Privacy Notice describes how the Trust uses and processes the information it holds about its staff, including how the information may be shared with other organisations, and how the confidentiality of staff information is maintained.
City Hospitals Sunderland NHS Foundation Trust is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. The Trust Registration Number is: Z7637350
For the purposes of this Privacy Notice “staff” includes all employees, including but not limited to, permanent staff, agency, contract and temporary staff, volunteers and students.
As part of the Healthcare Alliance the Human Resources operates as a single department across both South Tyneside NHS Foundation Trust and City Hospitals Sunderland Foundation Trust. South Tyneside NHS Foundation Trust acts as a Data Processor for City Hospitals Sunderland Foundation Trust in respect of employee information. Each Trust maintains a separate Electronic Staff Record
How is information about me used by the Trust?
The Trust collects and uses your information for the lawful purposes of administering the business of the Trust and carrying out its obligations in relation to employment. As an employee, the Trust does not need to obtain your consent to process your information. These purposes include:
- Management of the Trust workforce data (including payroll and performance);
- Monitoring and management of occupational health;
- Provide a comprehensive picture of the workforce and how it is deployed;
- To inform the development of recruitment and retention policies;
- To allow better financial modeling and planning;
- For the monitoring of ethnicity, sexual orientation, disability and other protected characteristics;
- To keep images to identify you either as part of the various security access systems, including CCTV, or as part of an overall briefing system for senior managers;
- To keep images that appear in Trust or other publications or websites to market and promote the Trust;
- To allow the Trust policies to be implemented and acted upon when appropriate.
There are many reasons linked to staff administration of your employment such as paying you and processing any changes that happen as a result of your career development.
Information about you is specifically processed under Articles 6(1)(b) and 6(1)(c) and 9(2)(b) and 9(2)(h) of the General Data Protection Regulation
What information is collected about me?
In order to carry out our activities and obligations as an employer we handle information about you in relation to:
- Personal details such as name, address, telephone number(s), date of birth.
- Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
- Medical information (including physical and/or mental health)
- Emergency contact(s), eg next of kin details
- Education and training
- Employment details (including job role, place of work, references and proof of eligibility to work in the UK)
- Membership of professional bodies and/or trade union(s)
- Bank details, eg in order to pay your salary
- Pension details
- Offences (including alleged offences), criminal proceedings, outcomes and sentences
- Employment tribunal applications, complaints, accidents and incident details
- Visual images, eg photographs on staff notice boards or CCTV monitoring
- Supervision and appraisal documentation
- Sickness absence and annual leave details
You should be aware that once you have approved your image to appear in a publication (usually done verbally) we may not be able to completely retrieve this image if you change your mind about its use. Your image may appear again at a later date unless you specifically indicate otherwise.
The Trust may use your information in order to gather evidence for disciplinary and other staff processes. The use of this information will always be proportionate in relation to the evidence being sought.
How is Information kept about me?
Your information is stored in both paper (personnel files held by your line manager) and electronically on ESR. Other temporary files may be created as a result of investigations, disciplinaries or complaints but these will usually be kept separately from the personnel file or destroyed in line with the agreed destruction criteria. If a sanction is applied, it will be noted on the personnel file.
Who do you share my information with?
We will not routinely disclose any information about you to anyone outside the Trust without your consent. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation. We may obtain and share personal information with a wide variety of other bodies, which may include, but is not limited to:
- Her Majesty’s Revenue and Customs (HMRC)
- Department for Work and Pensions (DWP)
- Disclosure and Barring Service (DBS)
- Home Office
- Child Support Agency
- Regulatory bodies, eg NMC, GMC
- Law enforcement agencies including the Police and the Serious Organised Crime Agency
- NHS Business Services Authority – National Electronic Staff Record (ESR) system
If you post or send offensive, inappropriate or objectionable content anywhere on www.chsft.nhs.uk or on the Trust’s Social Media pages, or otherwise engage in any disruptive behaviour we may use whatever information is available to us, about you, to stop such behaviour.
How long will you keep my information?
We will keep your employment information for the periods defined in the Records Management Code of Practice for Health and Social Care 2016. Specifically, we will retain your detailed information for a period of 6 years after you leave the Trusts employment at which point we will create a summary of your staff record and retain this until your 75th Birthday. Your main employment record with the Trust will be destroyed 6 years after you leave.
How can I access my information?
You can request access to the information that the Trust holds about you and you should do this by approaching your line manager in the first instance. They will provide you with guidance on the Trust’s processes. Your request, once agreed with you, will be completed within 30 calendar days. However, if your records are extensive we may take longer to process your request but will inform you from the outset.
To submit a formal request, please contact:
Recruitment Services Manager – City Hospitals Sunderland NHSFT and South Tyneside NHSFT
Employee Services Department
Information that you are entitled to:
As well as receiving a copy of the information that the Trust holds and processes you are also entitled to the following:
- To be told whether any personal data is being processed.
- Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people.
- Given a copy of the personal data together with its source (where this is available).
- Have inaccuracies corrected or removed
How do you make sure it is safe and secure?
We will use your information in a way that follows data protection laws and Trust policies and procedures.
Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised and consented to, unless it is required or permitted by the law.
All Trust staff are required to undertake mandatory Information Governance training, which covers how personal information should be processed.
We do not transfer personal information to a country outside of the European Union (EU) and this is checked on a yearly basis. If it is found that we intend to share information outside of the EU, appropriate and suitable safeguards will be put in place, which you will be told about.
We ensure that the systems, both paper and electronic, that we use to store and process your data are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of the information.
How do you protect my privacy/confidentiality?
We protect your information by following data protection laws:
- General Data Protection Regulation (GDPR)
- Data Protection Act (DPA) 2018
The GDPR and DPA 2018 are the laws that primarily determine how we can use your personal data. However, there are other laws that are followed if we need to process your information:
- The Human Rights Act 1998
- Freedom of Information Act 2000
- Computer Misuse Act 1998
- Audit Commission Act 1998
- Regulation of Investigatory Powers Act 2000
Data Protection Officer
The Trust’s Data Protection Officer (DPO) is responsible for ensuring that the Trust complies with the GDPR. The DPO is the person to contact if you would like to know more about how we use your information, require information in any accessible format or language or if (for any reason) you do not wish to have your information used in any of the ways described. Their contact details are:
Data Protection Officer
Information Governance Department
South Tyneside District Hospital
Or email to email@example.com
For independent advice about data protection, privacy and information-sharing issues you can contact the Information Commissioner:
The Information Commissioner
Phone: 08456 30 60 60 or 01625 54 57 45