HR PRIVACY NOTICE

Staff Privacy Notice

This Privacy Notice is to inform you of the type of information that CSH Surrey holds, how that information is used, who we may share that information with and how we keep it secure and confidential. It also explains your rights and our legal obligations.  We undertake information audits to establish clear lines on what personal data we hold and what we do with it.

CSH Surrey is a Data Controller registered with the Information Commissioner’s Office (ICO), registration number is Z9948287. Our registered address is CSH Surrey, Dukes Court, 4th Floor Block A, Duke Street, Woking GU21 5BH and our company registration number is 5700920.

For all queries relating to CSH Surrey’s Information Governance, please email csh.igteam@nhs.net 

What information does the organisation collect?

The organisation collects and processes a range of information about you. This includes but it not limited to:

  • recruitment information: job applications, references and evidence of your identity;
  • your name, address and contact details, including email address and telephone number, date of birth and gender;
  • the terms and conditions of your employment;
  • details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
  • your remuneration, including entitlement to benefits such as pensions or insurance cover;
  • details of your bank account and national insurance number;
  • your marital status, next of kin, dependents and emergency contacts;
  • your nationality and entitlement to work in the UK;
  • disclosures around your criminal record, if any;
  • your working pattern and attendance/absence at work including annual leave, sickness absence, family leave and sabbaticals, and the reasons for the leave;
  • details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
  • supervision and 1-2-1 meetings, assessments of your performance, including appraisals, performance reviews and ratings;
  • training you have attended
  • information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
  • details of trade union membership; and
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.

The organisation collects this information in a variety of ways. For example, data is collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment; from correspondence with you; or through interviews, meetings or other assessments.

In some cases, the organisation collects personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.

Data is stored in a range of different places, including in your personnel file, in the organisation's HR management systems and in other IT systems.

Why does the organisation process personal data?

The organisation needs to process your data in order to enter into an employment contract with you and to meet its obligations under employment law.  This includes paying you your salary and administering pensions etc.

In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled. For certain roles, it is necessary to carry out criminal records checks to ensure that individuals are permitted/suitable to undertake the role in question.

In other cases, the organisation has a legitimate interest in processing personal data before, during and after termination of your employment. Processing employee data allows the organisation to:

  • conduct recruitment processes;
  • maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
  • operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
  • operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
  • operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
  • obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
  • operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
  • ensure effective general HR and business administration;
  • provide references on request for current or former employees;
  • respond to and defend against legal claims; and
  • maintain and promote equality in the workplace.

Where the organisation relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not.

Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). Information about trade union membership is processed to allow the organisation to operate check-off for union subscriptions.

Where the organisation processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is carried out for the purposes of equal opportunities monitoring. Data that the organisation uses for these purposes is anonymised or is collected with the express consent of employees, which can be withdrawn at any time. Employees are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.

Our Legal Basis for Processing Special Category Data

 HR Processes

HR processes will include personal and/or special category data, such as:

  • Staff employment records
  • Recruitment and selection
  • Sickness reporting
  • Payroll Administration
  • Electronic Staff Records
  • Occupational Health and Counselling Services
  • Staff survey
  • DBS checks
  • HR audits
  • Workforce diversity data
  • Employee relations

Who has access to data?

Your information will be shared internally, including with members of the HR and recruitment team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles.

The organisation shares your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. The organisation may also share your data with third parties in the context of a TUPE transfer of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.

The organisation also shares your data with third parties that process data on its behalf, in connection with payroll, exercise of individual rights as defined within Data Protection legislation, the provision of benefits and the provision of occupational health services.

The organisation will not transfer your data to countries outside the European Economic Area.

How does the organisation protect data?

The organisation takes the security of your data seriously. The organisation has internal policies and procedures in place to ensure that your data is kept secure and is only accessed by authorised personnel.

Where the organisation engages third parties to process personal data on its behalf, they ensure the third party are processing data under the written terms of a contract/agreement requiring them to comply with Data Protection legislation including implementation of appropriate technical and organisational measures to ensure the security of data.

For how long does the organisation keep data?

Personal data processed for any purpose will not be kept for longer than is necessary for the specific purposes. All HR records are kept in line with the NHS Records Management Code of Practice 2021/Retention Schedules and the Department of Health Records Management Guidance.

CSH Surrey will regularly review the length of time we keep your personal data and securely delete information that is no longer needed for the purposes it was originally intended. This process will enable clear and accurate data, keeping it up to date, available and confidential.

International transfer of your personal data

CSH Surrey does not transfer, store or share personal data outside of the European Economic area.

Your rights

Under Data Protection legislation, you have the following rights:

The Right of Access

We have a duty to provide you with rights of access to your data when requested.  Under Data Protection Legislation, individuals have the right to obtain a copy of their personal records held by us; this is called a Subject Access Request (SAR).

To obtain a copy of your records, please submit your request to the CSH Surrey Subject Access Request Team.  Address: CSH Surrey SAR Team, 4th Floor, Dukes Court, Woking, Surrey, GU21 5BH Email: csh.sarteam@nhs.net

You will need to provide your information (e.g. full name, address, date of birth, employment number and forms of identification). If you wish for another person to submit your request on your behalf they will need to obtain your written permission to do so before we can provide copies of your records. This ensures we are providing confidential information to authorised persons(s).

An individual may choose to nominate a representative (such as a solicitor or relative) to make a request on their behalf, however when this happens the request must be explicitly authorised by the data subject (e.g. evidenced by a signed letter of consent).

Those who hold Lasting Power of Attorney for Health and Welfare or Property and Affairs for an individual can apply for that individual’s records.

Download the Access to Health Records Application Form

Further guidance and assistance can be obtained from the Subject Access Request Team.

The Right to be Informed

Be informed about the collection and use of your personal data. This communication is achieved through this privacy policy.

The Right to object

Data Protection legislation gives individuals the right to object to the processing of their personal data in some circumstances. This will depend on the legal basis (as described above) for processing your information. In order to object, you will need to do so verbally or in writing to csh.sarteam@nhs.net

The Right to Restrict

Request the restriction of your personal data, however this only applies when/if you contest the accuracy of the personal data, the data has been unlawfully processed and/if you oppose erasure and requests. You can make a request for restriction verbally or in writing to csh.sarteam@nhs.net

Rectification and Erasure

Request to have inaccurate personal data rectified or completed if it is incomplete.  The legislation states that ‘personal data is inaccurate if it is incorrect or misleading as to any matter of fact.’ You can make a request for rectification verbally or in writing to csh.sarteam@nhs.net

For pension or pay queries, you will need to contact our payroll provider SBS.

Complaints

If you have any comments, queries or complaints about this Privacy Notice or the processing of your personal information please address these to: Data Protection Officer, Central Surrey Health, 4th floor, Dukes Court, Woking, GU21 5BH

Email: CSH.DPOenquiries@nhs.net

Alternatively, you are entitled to get in touch with the Information Commissioner’s Office (ICO). The Information Commissioner’s Office enforces and oversees the Data Protection Regulations. To find out more about the information rights in the public interest, further details can be found at: www.ico.org.uk

Updated July 2024