About this notice and who it applies to
Data Protection law determines how organisations can use personal information.
In accordance with the Data Protection Act 2018, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the legislation.
We recognise the need to treat personal data in a secure, fair and lawful manner. No personal information held by St Andrew’s Healthcare will be processed unless the requirements for fair and lawful processing can be met.
This privacy notice applies to applicants, employees, (current and former), workers (including agency), work experience, volunteers and contractors.
This notice contains information about how the Charity processes your personal data and your rights in relation to this processing including what to do if you have a query or complaint.
Please also see our general Privacy Notice for further details.
What personal information we may collect
In order to carry out our legitimate activities and obligations as an employer, St Andrew’s may handle your personal data including, but not limited to:
• Personal details (including name, address, date of birth, telephone number, National Insurance number)
• Emergency contact(s), details of partners and dependents
• Employment records (including employment contract, salary, nationality and immigration status previous employment, professional membership, references and proof of eligibility to work in the UK, maternity/paternity documentation, attendance at work, sickness)
• Employee relations documentation (such as performance review, appraisals, performance management, grievance, capability, conduct)
• Personal documentation (including marriage certificate, driving licence, identity documents)
• Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
• Medical and occupational health information (including physical health or mental condition)
• Information relating to maternity, paternity, shared parental or adoption leave
• Information relating to health and safety
• Trade union membership
• Offences (including alleged offences), criminal proceedings, outcomes and sentences, and DBS check information
• Employment Tribunal applications, complaints, accidents, and incident details
• Payroll information (including tax information, student loans, court orders)
• Bank details
• Pension details
• Any salary sacrifice arrangements
• Training and development records
• Information on your use of the Charity’s information and communications systems which is detailed in the Charity’s Privacy at Work procedure
• CCTV footage and other information obtained through electronic means such as swipe/identity card records
• Information about your use of our information and communications systems
How the Charity obtains your personal data
The Charity will usually collect your personal data through the application and recruitment process, either directly from you or through an employment agency. This may include seeking information, such as references about you from third parties such as former employers prior to you starting with the Charity.
Lawful basis for processing your personal data
The charity must have a lawful basis to process your personal data. We have identified what the lawful basis is for processing your personal data. These include:
• Where you have given consent
• Fulfilling our obligations as your employer as part of your contract of employment
• Complying with laws and regulations (for example, the detection and prevention of crime and financial regulations)
• When it is necessary to protect the vital interests of an individual (for example, in a medical emergency)
• Where it is necessary for the Charity’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests
• Where it is necessary for St Andrew’s Healthcare to perform a task in the public interest
Why we need to process your personal data
There are a number of reasons why St Andrew’s needs to process personal data about you which include:
• Making a decision about your recruitment, continued engagement or termination
• Carrying out Disclosure and Barring Service DBS checks
• Checking you are legally entitled to work in the UK
• Staff administration and payroll
• Pensions and benefits administration
• Business management and planning activities such as accounting and auditing
• Performance management
• Education, training and development
• Health and safety
• Fitness to work
• Investigation and disciplinary process
• To prevent fraud
• Issuing identity cards and parking permits
• Equal opportunities monitoring
We seek to ensure that our information collection and processing is always proportionate and accurate.
We will notify you of any material changes to information which we collect or the purpose for which we collect and process it
Sharing your information
There are a number of reasons why we may need to share information with third parties which include the following:
• Our obligations to comply with law and regulations
• Our duty to comply with any Court Order which may be imposed
• Business administration support with our third party suppliers, for example, the Charity’s pension provider
• It being necessary to protect your vital interests or the vital interests of another person
Any disclosures of personal data are made only on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place.
St Andrew’s Healthcare is responsible for protecting the funds it manages. To do this we may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.
We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you under a legal/statutory obligation which include:
• Her Majesty's Revenue and Customs (HMRC)
• Disclosure and Barring Service
• Home Office
• Child Support Agency
• Central government, government agencies and departments
• Other local authorities and public bodies
• Ombudsman and other regulatory authorities
• Financial institutions e.g. banks and building societies for approved mortgage references
• Law enforcement agencies including the Police and the National Crime Agency
• Department for Work and Pensions (DWP)
Security of your information
We take our duty to protect your personal information and confidentiality very seriously, and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible.
We ensure that your personal data is kept secure through methods such as access controls being in place for data held electronically and secure filing cabinets and filing rooms with limited access for paper records. This ensures that only the people who need to view your information are able to.
There are a number of senior employees throughout the organisation who have specific responsibilities for data protection and confidentiality. For example, at Executive level, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information associated risks and incidents, and a Caldicott Guardian who is responsible for the management of personal data and confidentiality identifiable information and confidentiality.
There is an appointed Data Protection Officer within the Charity who has specific responsibility for and knowledge of data protection compliance covering all aspects within the scope of this privacy notice and who is a point of contact for all queries.
There are policies and procedures in place which are regularly reviewed and updated to ensure staff understand their responsibilities towards protecting personal data.
We ensure that any third parties who process your personal data on our behalf are contractually obliged to comply with our data protection and information security policies and procedures.
All staff are required to undertake annual Information Governance and data protection training and made aware of their responsibilities and best practice guidelines.
Keeping your personal information up to date
It is important that the information which we hold about you is up to date and accurate. If your personal details change or if they are currently inaccurate then it is important that you let us know either by contacting the Charity’s Data Protection Officer using the contact details at the bottom of this privacy notice, or by raising with your Line Manager. Any corrections which are needed will be made promptly and we will promptly inform any third parties who have received the incorrect information from us, so that they can amend their records.
Retention and disposal of personal information
We will only retain information for as long as necessary. Records are managed in line with the Charity’s Records Management Policy. This ensures that we regularly review records and securely destroy records at the appropriate time. There are times when we need to keep certain records for set legal time periods.
Access to personal information
Data Protection law gives you the right to access the information which St Andrew’s Healthcare processes about you. This includes supplementary information about the processing that this privacy notice is designed to address.
Requests for access to personal data can be made in writing or verbally to:
St Andrew’s Healthcare
Telephone: 01604 616000
The Charity needs to validate that you are who you say you are. Therefore you may be asked to provide:
• Relevant information (for example full name, address, date of birth, staff number, etc.)
We may ask you for further information to help us locate what you are looking for.
We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within one calendar month of receipt unless there is a reason for delay that is justifiable under UK Data Protection law.
If a subject access request is made and the request for access is thought to be unfounded or excessive, the Charity reserves the right to refuse to comply with the request in these circumstances.
In certain circumstances, you may also have the right to:
• Object to the processing of personal data that is likely to cause, or is causing, damage or distress
• In certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed
• Require us to correct any mistakes in the data we hold on you
• Object at any time to processing of personal data concerning you for direct marketing
If you believe you have any of these additional rights or you wish to exercise them, please let us know by contacting the Charity’s Data Protection Officer (details at the bottom of this privacy notice).
Raising a query or concern
If you have a query or concern about any aspects of this privacy notice, or how your data is handled or shared please direct your concern to the Charity’s Data Protection Officer:
Data Protection Officer
St Andrew’s Healthcare
If you remain unsatisfied you also have the right to raise your concern externally with the Information Commissioner’s Office:
The Information Commissioner's Office
Data Protection Notification with the Information Commissioner’s Office
St Andrew’s Healthcare is registered as a ‘data controller’ with the Information Commissioner’s Office.
The details of the Charity’s notification are available on the ICOs Data Protection Public Register.
St Andrew’s registration number is Z5735699.