Employee privacy notice

In general terms, as your employer, former employer or prospective employer, as the case may be, or as the organisation with which you otherwise contract as a worker or independent contractor, we collect, store and process your Personal Data for a variety of reasons related to your employment; former employment; potential employment or your engagement with us, current, past or future.  

We will collect and process your Personal Data for other purposes, including those which are incidental to your employment or engagement and for diversity and inclusion purposes.

Personal data

As a prospective, current, former employee of, or worker or independent contractor for, Berkshire Healthcare, the Personal Data we hold about you may include the following:

• personal contact information including your name, home address, personal telephone number(s) and/or personal e-mail address;
• business contact information including your business e-mail address and/or telephone number;
• demographic information such as your date of birth, gender and marital status;
• documents gathered during the recruitment process including your CV, application form, references, professional memberships and/or qualifications and background vetting information (including proof of address);
• documents maintained and updated during your employment or engagement relating to professional memberships and qualifications and statutory and mandatory training (including but not limited to professional revalidation);
• the results of any assessments we ask you to carry out either during the recruitment process or while you are employed or engaged;
• emergency contact information;
• documents providing your identity such as your passport and/or driver's license;
• your image for security and ID badges;
• documents evidencing your right to work (including information about your immigration status where relevant);
• information about your career history;
• your declarations of outside interests, gifts and hospitality received;
• financial information including, bank account, HMRC and pension details, and compensation history;
• general employment or engagement records including job title, details of training, disciplinary and grievance matters, benefits, holiday and other absences, along with a copy of your employment contract, performance records (including appraisals);
• information gathered through the Trust's monitoring of its IT systems, building access records and CCTV recording; and

Personal Data which you otherwise voluntarily provide, for example when using your Trust e-mail account.

Special Category Personal Data

In addition to the above, we may also collect Personal Data which is classed as "Special Category Personal Data" under of Article 9 of the UK GDPR. Special Category Personal Data is Personal Data which reveals information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, or is genetic data or biometric data which is processed for the purpose of identifying a natural person. 

From time to time, and only where relevant to your employment, or engagement, or required by law, we may collect the following types of Special Category Personal Data from you:

• information about your health, disabilities and any support we can provide you (including any reasonable adjustments to your role that you require); and
• information about your racial or ethnic origin, nationality, gender, religious beliefs and sexual orientation and disabilities, so that we can monitor equality, diversity and inclusion within our organisation.

In addition to the above, employees or others in clinical roles, other regulated roles and for any roles that involve contact with patients in the course of their normal duties are required to undergo Disclosure and Barring checks (DBS) , and every five years where there is a legal requirement or it is Trust policy to do so. 

This is so that your suitability for your position can be assessed. In practice, this may involve us collecting information relating to criminal convictions and offences ("Criminal Offence Data") insofar as any information about you which concerns criminal convictions and/or offences is included in the response we received from the DBS check.

As an employee, worker or contractor we will primarily collect Personal Data from you directly, however we may also receive Personal Data about you from third parties. These may include, for example, former employers or clients for referencing purposes, third parties such as the Disclosure and Barring Service, professional bodies and the NHS Counter Fraud Authority.

We may also collect Personal Data about you from publicly available sources including information obtained through internet search engines results and social media sites.

We do not routinely collect this type of information. However, in certain circumstances such as during a disciplinary investigation involving social media activity that may breach Trust policy, we may collect this data.   

In general, we may process your data for a number of different purposes. Each time we collect and process Personal Data for one of these purposes, we are required to have a lawful basis for doing so. These are prescribed by Article 6 of the UK GDPR as follows:

• Consent: where an individual has provided their free and informed consent for us to process their Personal Data for one or more specific purposes.
• Performance of a contract: where it is necessary to process Personal Data in order for us to fulfil our obligations under a contract to which the relevant individual is a party. This legal basis is commonly relied upon in an employment setting.
• Legal obligations: where processing is necessary in order to comply with a legal obligation to which we are subject. This could include, for example, sharing your information with a regulator for tax purposes.
• Vital interests: where processing is necessary in order to protect the vital interests of individual, or of another natural person.
• Public interest: where processing is necessary for the performance of a task which is carried out in the public interest, or in the exercise of our official authority.
• Legitimate interests: where processing is necessary for the purposes of our own legitimate interests, except where our interests are overridden by the interests or fundamental rights and freedoms of the individual whose Personal Data we are processing.

When we process Special Category we must have a specific additional legal ground for such processing.

You will find details of our legal grounds for each of our processing purposes that follow.

Special Category Personal Data

In addition to the lawful bases identified above, in order for our processing of Special Category Personal Data to be lawful, we are required to satisfy one or more of the additional conditions prescribed by Article 9 of the UK GDPR. Of relevance to us, these include that processing is necessary:

• for the purposes of meeting obligations in the field of employment or engagement;
• for reasons of substantial public interest; and/or
• in connection with the establishment, exercise or defence of legal claims.

In terms of our processing of Criminal Offence Data, this will only be lawful to the extent that such processing is caried out under the "control of official authority" or it is otherwise "authorised by domestic law".  The latter condition is met in the present case on the basis that it is necessary for us to process Criminal Offence Data for employment purposes.

If you fail to provide Personal Data

If you fail to provide certain Personal Data when requested, we may not be able to consider you for a role or perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Change of purpose

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. However, please note that we may sometimes process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Purpose 1: Recruitment and selection

For example, this may include, but is not limited to:

• Making a decision about your recruitment or appointment
• Determining the terms on which you work for us

Where you are a current employee, considering your eligibility for promotion or for alternative roles within the Trust or with other organisations in the wider NHS. This includes sharing relevant employment information such as references or records of statutory and mandatory training with other NHS organisations, in line with national NHS workforce mobility initiatives. Legal grounds:

• We generally rely on the ground that the processing is necessary for the performance of a task carried out in the public interest when processing your Personal Data in connection with recruitment activities. This includes sharing relevant employment information such as references or records of statutory and mandatory training.
• However, we may also rely on the performance of a contract as the legal basis when processing your Personal Data for this purpose, for example if steps are being taken in anticipation of entering into a contract with you. This may include the transfer of employment related data to facilitate internal moves or secondments within the NHS, where such data is necessary to assess suitability or readiness for a new role.

Purpose 2: Staff administration and management

For example, this may include, but is not limited to:

• Administering any contract we have entered into with you
• Corresponding with you as needed for your employment or engagement
• Managing and improving your performance, including the conduct of appraisals
• Enabling us to offer you any support you may require for your role, and make reasonable adjustments to your role
• Occupational health and wellbeing services
• Addressing disciplinary and grievance issues
• Monitoring the proper use of our IT systems, including clinical systems

Legal grounds:

• performance of a contract is the legal basis we generally rely on when processing your Personal Data for this purpose
• performance of a task carried out in the public interest is the legal basis we may also rely on when processing your Personal Data for monitoring the proper use of our IT systems

Purpose 3: Workforce management and business operation

For example, this may include, but is not limited to:

• The day-to-day management of tasks, responsibilities and workflows
• Wider business operational management
• Talent management
• Work-force planning within Berkshire Healthcare or with other organisations in the wider NHS

Legal grounds:

• performance of a contract is the legal basis we generally rely on when processing your Personal Data for this purpose, particularly where the management relates specially to you and any contract we have in place with you
• performance of a task carried out in the public interest is the legal basis we may also rely on when processing your Personal Data for this purpose, particularly where any management is being carried out on a higher operational level to ensure the Trust is able to carry out its functions

Purpose 4: Financial administration  

For example, this may include, but is not limited to:

• ensuring you are appropriately remunerated for your employment or engagement and you receive the benefits you are entitled to
• the provision of additional optional benefits, such as salary sacrifice schemes for childcare vouchers, lease cars, cycle to work schemes, etc.
• Debt management and collection

Legal grounds:

• performance of a contract is the legal basis we generally rely on when processing your Personal Data for this purpose

Purpose 5: Improvement of Trust and People Directorate systems and processes

For example, this may include, but is not limited to:

• the assessment and improvement of the services provided by the Trust and/or the People Directorate through for example, research, employee engagement surveys, service evaluation and data analysis
• administering and improving the Trust's and/or the People Directorate's and/or other organisations in the wider NHS's systems and processes, which may include the use of new or automated platforms for recruitment (e.g. the use of talent pools), training, performance evaluation, time management, and employee engagement

Legal grounds:

• performance of a task carried out in the public interest or legitimate interests are the legal bases we generally rely on when processing your Personal Data for this purpose

Purpose 6: to safeguard the interests of the Trust and its patients

For example, this may include, but is not limited to:

• monitoring the proper use of the Trust's IT systems
• preventing fraud against the Trust and its patients
• to protect the Trust's confidential and proprietary information, and intellectual property

Legal grounds:

• legal obligation is the legal basis we generally rely on when we process your Personal Data for this purpose
• performance of a task carried out in the public interest is the legal basis we may also rely on when we process your Personal Data for this purpose, particularly when this is for safeguarding purposes.

Purpose 7: for the purposes of monitoring equality, diversity and inclusion

Legal grounds:

 performance of a task carried out in the public interest is the legal basis we generally rely on when we process your Personal Data for this purpose.

Purpose 8: to comply with legal obligations and/or regulatory requirements

For example, this may include, but is not limited to:

• complying with any information provided by professional regulators such as the CQC, NHS Improvement, the Nursing and Midwifery Council and General Medical Council
• complying with health and safety obligations

Legal grounds:

• legal obligations is the legal basis we generally rely on when processing your Personal Data for this purpose

The Trust will share employee Personal Data with third parties only in limited circumstances and where this is necessary for the performance of the employment contract, to administer the working relationship with you or to comply with a legal obligation, in connection with criminal or regulatory investigations undertaken by third parties or otherwise in pursuit of the Trust's legitimate business interests.

Which third-party service providers process my Personal Data?

Third parties includes third-party service providers (including contractors and designated agents). The following activities may be carried out by third-party service providers:

• employee and candidate screening services;
• staff administration and management (including HR, occupational health, payroll and finance, performance and pension administration);
• staff training;
• benefits provision and administration;
• occupational health services;
• staff and engagement surveys;
• IT and system support and management services; and
• Counter Fraud Authority.

Employee Personal Data is shared under the terms of a written agreement between the Trust and the third party which includes appropriate security measures to protect the Personal Data in line with this Privacy Notice and our obligations. The third party service providers are permitted to use the Personal Data only for the purposes which we have identified or as is permitted by law, and not for their own purposes, and they are not permitted to further share the data without our express permission.

As an employer within the NHS, the Trust may be required to share employee Personal Data with other Trusts from time to time for the purposes set out in this Privacy Notice. In particular, the Trust shares employee Personal Data for the purposes of facilitating cross organisation clinical care, workforce planning, collaborative working, operational effectiveness, medical research and for pre-employment checking purposes.

In some circumstances we may also anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

We do not transfer your Personal Data outside the European Economic Area ("EEA").

Your Personal Data is primarily stored within our secure IT systems and in some services, employee personal files are retained in hard copy. We have technical and organisation measures in place to ensure your Personal Data is protected, including:

• encryption of our data and IT equipment;
• regular data protection training for our employees;
• regular testing of our technology;
• restricted access controls (i.e. measure to ensure only people who need to access your Personal Data is able to do so); and
• physical security measures.

We will retain your Personal Data in accordance with our Retention of Records Policy which is available on request. This means that we will retain it for as long as is reasonably necessary in order to fulfil the purposes for which we collected it, and in accordance with applicable statutory or professional retention periods that may apply. In most instances, this means we will retain your Personal Data throughout your employment or engagement and for a period thereafter. 

Generally, we will retain for your Personal Data for 7 years from the date on which your employment or engagement ends. At the conclusion of that period, we will review whether it is still needed in accordance with our Retention of Records policy.

Personal data processed for the purposes of DBS renewal checks will be retained for six months.  

Individuals have rights in relation to their Personal Data, including in relation to the way that it may be collected and used. As a Data Controller of your Personal Data, we are required to comply with the UK GDPR, and to give effect to your rights. Details of your rights are set out below.

• Right to be informed: You have the right to be informed about our collection and use of your Personal Data. In particular, and in order for us to comply with our obligation to be transparent about our use of your Personal Data, you have the right to know the purposes for which we process your Personal Data, the retention periods for your Personal Data and who it may be shared with. This information is contained within this Privacy Notice.
• Right of access: You have the right to access the Personal Data that we hold about you. This type of request is referred to as a Subject Access Request, or a “SAR”. As well as being entitled to receive a copy of your Personal Data, you are also entitled to certain pieces of information, such as who we may have shared your Personal Data with, or the length of time we expect to hold it for. You can request a copy of the information we hold about you by contacting the HR team. The information will be assessed and may have information provided by third parties or about third parties removed before it is given to you. The Berkshire Healthcare SAR policy is available by contacting the DPO using the details given above on this page.
• Right to rectification: We are required to take reasonable steps to ensure the Personal Data we hold about you is accurate and complete. You have the right to ask us to correct or complete any inaccurate or incomplete Personal Data that we hold about you.
• Right to erasure: You have the right to ask us to erase the Personal Data that we hold about you. This is also known as the 'right to be forgotten'. There are however some exceptions to this right.
• Right to restrict processing: You have the right to request that the processing of your Personal Data is restricted. This could include, for example, a request that we stop processing your Personal Data for a certain period of time. Similarly to the right to erasure however, there are exceptions to this. For example, we may not be able to ‘pause’ processing your Personal Data in circumstances where it is necessary in order to perform tasks which are in the public interest.
• Right to data portability: You have the right to receive copies of any Personal Data which you personally provided to us in a structured, commonly used and machine-readable format, so that you can transmit it to another Data Controller of your choice.
• Right to object: You have the right to object to us processing your Personal Data where the legal basis we rely on for doing so that processing is necessary: (i) for the performance of a task carried out either in the public interest or in the exercise of official authority vested in us; or (ii) for the purposes of our own legitimate interests. You also have the right to object to your Personal Data being processed for marketing purposes, without exception.
• Right not to be subject to automated decisions: You have the right not be subject to solely automated decisions. An automated decision is one that is made by a computer without any human input, using your Personal Data, that has a legal or other significant effect on you.

In most cases, your rights are not absolute. The UK GDPR and Data Protection Act 2018 ("DPA 2018") provide several exemptions to your rights which give us a lawful basis for declining to give effect to your rights, where applicable. Your right of access, by way of example, is limited in circumstances where your Personal Data is mixed with that of another individual, and it would not be reasonable to disclose it without their consent. 

In practice, our ability to rely on an exemption will depend on the purpose for which we are processing your Personal Data, and whether it would be necessary and proportionate to give effect to your rights or not, having regard to all relevant circumstances. Please note that we consider requests relating to your rights on a case by case basis, and do not routinely rely on exemptions, nor apply them in a blanket fashion.

If you wish to exercise any of the rights set out above, please contact our DPO using the details given above on this page.

Fees

• You will not usually have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

• We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

• We are obliged by law to respond to all legitimate requests within one month unless your request is particularly complex or you have made a number of requests. In this case, we can take an extra two months to respond to the request and consider charging a fee. If this is the case, we will notify you within one month of receiving the request and keep you updated.