Privacy Notice for Staff and Workers
Protecting Your Data – Informing you how we Use and Collect Your Data
Background
As an employer Mersey and West Lancashire Teaching Hospitals NHS Trust (MWL), (thereafter referred to as the Trust) must meet its contractual, statutory and administrative obligations. This ‘Privacy Notice’ explains in detail of the type of personal data that the Trust process about you.
The Trust is a Data Controller. A Data Controller determines how the data will be processed and used within their organisation and with others they can share the data with.
The Trust are registered as a ‘Data Controller’ with the Information Commissioner’s Office (ICO) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation. Our ICO registration number is Z5040527. We are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the data protection principles under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. This notice also explains how we handle personal data and keep it safe and secure.
The Trust employs specific roles to provide leadership and direction to ensure accountability and transparency to support compliance with Data Protection law.
These roles include:
- Caldicott Guardian
The Trust is required to have a Caldicott Guardian. The Caldicott Guardian is a senior health professional appointed to ensure that the data about those who use its service is handled in a confidential manner by the Trust and enabling appropriate data / information sharing. The Caldicott principles are incorporated into the NHS Code of Practice.
Our Caldicott Guardian is Mr Alex Benson.
- Senior Information Risk Owner (SIRO)
The SIRO is an Executive Director in the Trust with overall responsibility for managing organisational information risk, security of information and putting strategies in place to control the identified risks.
Our SIRO is Malcolm Gandy.
- Data Protection Officer (DPO)
Under the UK General Data Protection Regulations (UK GDPR) all large public authority organisations such as MWL are legally required to employ a Data Protection Officer. This person is an expert in data protection and can therefore inform and advise the Trust and its staff about their obligations to comply with the UK GDPR and other Data Protection laws. Where there are data protection concerns the DPO will act as a contact point for you and will also act as the main contact for communication with the Information Commissioner’s Office.
Our Trust Data Protection Officer (DPO) is Camilla Bhondoo.
The DPO can be contacted via the following means:
- Address: Pavilion Building, Alexandra Business Park, Prescot Road, St Helens, WA103TP
- Email: IG@midmerseyda.nhs.uk
We will continually review and update this privacy notice to reflect changes in our services and to comply with changes in the law. When such changes occur, we will revise the last updated date as documented in the version status in the footer of this document.
Introduction
The Trust as your employer collects personal data about you using the following legal basis:
- Article 6 1(b) – Processing is necessary for the performance of staff contracts
- Article 6 1(c) – Processing is necessary for compliance with a legal obligation
- Article 6 1(f) - Processing is necessary for the purposes of legitimate interests pursued by the Trust
Further specific details are provided in the ‘Data Processing Activities’ section below.
In general, the types of processing we undertake using personal data are:
- Recruitment and employment checks (for example, professional membership, references, proof of identification right to work in the UK and Occupational Health Clearances, etc)
- Staff Administration (bank account and salary / wages, as well as pension, tax and national insurance details)
- Education, training and development
- Publishing of senior level staff names in ‘Annual Reports’ and / or in response to Freedom of Information requests – the Trust has a legitimate interest to publish this information
- Personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your employment
- Medical information relevant to your employment, including physical health, mental health, evidence of relevant vaccinations where a legal duty applies and absence history
- Information relating to your health and safety at work, and any incidents or accidents
- In order to comply with health and safety legislation we may undertake risk assessments
- Professional registration and qualifications, education and training history
- Information relating to employee relations (i.e. disciplinary proceedings, grievances and complaints, tribunal claims, etc)
- Criminal prosecution and prevention
- National fraud initiatives
- Conflict of Interest Forms
- Quality monitoring such as staff surveys
- Access to systems (network / email) and IT services
- In order to complete mandatory / legally required registers e.g. the Conflict-of-Interest Register
If we need consent to process your data under Article 6 (1) (a) of the UK GDPR we will contact you about this. It will be explained to you in a clear way using plain language the reasons for this. For more detail please see the “Purposes where consent is required” section.
Please regularly check this privacy notice as it is constantly updated to ensure we inform you of all types of processing of your personal data.
- Data Sources
Your information could be collected in a number of different ways. This could be directly from you - in person, over the telephone or on a form you have completed, such as a job application, contractual documentation, timesheet or spreadsheet.
Data also comes from external sources such as NHS Jobs, your professional body, current or previous employers or referees, the Disclosure and Barring Service, or government bodies like HM Revenue and Customs, the Department for Work and Pensions, or the UK Visas and Immigration. Further details about our processing activities are detailed below.
- Definition Of Data Types
The following are key words that are used to describe what data the Trust may use and other key Data Protection terminology that you will notice throughout this privacy notice.
Processing
This means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller
A Data Controller determines the purposes and means of processing personal data. The Trust are a Data Controller, we decide what to do with your data.
Data Processor
A Data Processor acts on instruction by a Data Controller and processes data on behalf of the controller. There may be instances that the Trust use a Data Processor to process your personal data. If we do the Data Processors we use must provide us with assurance that they will keep your data safe and demonstrate how. Just like Data Controllers they must also adhered to Data Protection legislation when processing any kind of personal data.
Personal Data
This contains details that identify individuals even from one data item or a combination of data items. The following are demographic data items that are considered identifiable such as name, address, NHS Number, full postcode, date of birth. Under UK GDPR, this now includes location data and online identifiers.
Special Category Data
This is personal data that requires more protection due to the sensitive information it contains. The UK GDPR defines this data as personal data revealing: race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, it also relates to gene or biometric data (where used for identification purposes) and data concerning a person’s sexual life and sexual orientation and data relating to health. It does not include personal data about criminal allegations, proceedings or convictions as separate rules apply.
Personal Confidential Data
This term came from the Caldicott review undertaken in 2013 and describes personal information about identified or identifiable individuals, which should be kept private or secret. It includes personal data and special categories of data but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.
Pseudonymised Data or Coded Data
This is also sometimes known as reversible anonymisation. Patient identifiers such as name, address, date of birth are substituted with a pseudonym, code or other unique reference so that the data will only be identifiable to those who have the code or reference. To be truly regarded as pseudonymised data the organisation must not hold the key to be able to reverse the anonymisation.
Anonymised Data
This is data about individuals but with all identifying details removed. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available.
Aggregated Data
This is statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.
- Our Data Processing Activities
The law on data protection under the UK GDPR sets out a number of different reasons for which personal data can be processed. The law states that we have to inform you what the legal basis is for processing personal data and also if we process special category data such as your occupational health data what the condition is for processing it. The Trust also uses the services of data processors to process staff data as detailed below. The organisation’s we work with are bound by contractual agreements which outline that your information is processed under strict conditions and in accordance with the law.
Recruitment and employment checks
Data Processor
- St Helens and Knowsley Teaching Hospitals NHS Trust (MWL) / NHS Jobs / Trac Systems Limited.
Type of data
- Personal Data – Demographics / Bank Details
- Special Category Data – Race, ethnic origin, health, sexual life, criminal convictions (covered under the Data Protection Act 2018)
Source of Data
- Staff
Legal basis for processing Personal Data under UK GDPR
- Article 6 (1)(b) - Processing is necessary for the performance of staff contracts.
- Article 9 (2)(b) – Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law.
- In addition, we rely on processing conditions at Schedule 1 part 1 paragraph 1 and Schedule 1 part 1 paragraph 2(2)(a) and (b) of the Data Protection Act 2018. These relate to the processing of special category data for employment purposes, preventative or occupational medicine and the assessment of your working capacity as an employee.
Recruitment and employment checks are carried out by the Trust. Personal data collected by the Trust during the recruitment process is downloaded from a recruitment management system called ‘Trac Systems Ltd’ and retained for successful applicants only.
The TRAC System is an automated recruitment system which enables greater communication to the recruiting managers. Managers that are recruiting staff into post will be able to log on and view the status of their vacancy, and progress of the pre-employment checks including ID Checks, Right to Work, Convictions, Professional Registration, Occupational Health and References.
Whilst TRAC is a separate advertising stream to NHS Jobs, jobs will still be posted on NHS Jobs (as a signpost only) and candidates that wish to apply for a vacancy will be redirected to the Trac portal. Privacy notices provided by Trac are displayed to all people who apply directly into the Trac Recruitment System.
Information downloaded from the system by the Trust is emailed to the Human Resources Team which you have been appointed to and forms the basis of your employee personal file. NHS Jobs website supplied by Trac Systems Ltd has updated their privacy notice.
Workforce Management
Data Processor
- ESR (Electronic Staff Record) System
Type of data
- Personal Data – Demographics
- Special Category Data
Source of Data
- Staff
Legal basis for processing Personal Data under UK GDPR
- Article 6 (1)(f) - processing is necessary for the purposes of legitimate interests pursued by the Trust.
- Article 9 (2)(b) – Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law.
- In addition, we rely on processing conditions at Schedule 1 part 1 paragraph 1 and Schedule 1 part 1 paragraph 2(2)(a) and (b) of the Data Protection Act 2018. These relate to the processing of special category data for employment purposes, preventative or occupational medicine and the assessment
The NHS ESR system provides the Trust with a range of tools that facilitate effective workforce management and planning; thereby enabling improved quality, improved efficiency and improved patient safety.
For more detail about the NHS ESR system see: https://www.electronicstaffrecord.nhs.uk/home/
Payroll / Pension
Data Processor
- St Helens and Knowsley Teaching Hospitals NHS Trust (MWL)
Type of data
- Personal Data – Demographics / Bank Details
- Special category data – to set up voluntary deductions to a trade union (where applicable).
Source of Data
- Staff
Legal basis for processing Personal Data under UK GDPR
- Article 6 (1)(b) - Processing is necessary for the performance of staff contracts.
- Article 9 (2)(b) – Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law.
E- Learning
Data Processor
- Health Education England (e-learning for Health)
Type of data
- Personal Data – Demographics
Source of Data
- Staff
Legal basis for processing Personal Data under UK GDPR
- Article 6 (1)(f) - Processing is necessary for the purposes of legitimate interests pursued by the Trust.
The training system used by the Trust is the national e-learning system for healthcare https://www.e-lfh.org.uk/
IT Administration (network / email / system account administration)
Data Processor
- St Helens and Knowsley Teaching Hospitals NHS Trust (MWL) – IT Department
Type of data
- Personal Data – Demographics
Source of Data
- Staff
Legal basis for processing Personal Data under UK GDPR
- Article 6 (1)(f) – processing is necessary for the purposes of the legitimate interests pursued by the controller.
The IT Department process your demographic details in order to set you up on the network and systems. This is also required to set you up with a Trust account and also an email account for users who require this.
IT Department may have access to files and folders where personal data and / or special category data are stored as administrators of the network and to resolve any IT issues regarding the files / folders. All staff sign ‘Confidentiality’ agreements and receive adequate IG training to inform them to keep this information safe and secure.
MIAA – Local Counter Fraud Services
Data Processor
- MIAA - Local Counter Fraud Services
Type of data
- Personal Data – Demographics
Source of Data
- Staff
Legal basis for processing Personal Data under UK GDPR
- Article 6 (1)(c) – For compliance with a legal obligation
MIAA work in partnership with the Trust to instigate an organisation wide culture of fraud prevention and fraud risk management. They assess your organisation’s specific fraud risks and will investigate any alleged instances thoroughly.
- Purposes where consent is required
There are also other areas of processing undertaken where consent is required for us or you to continue with a data processing activity. Under UK GDPR, consent must be freely given, specific, you must be informed and a record must be made that you have given your consent in order to confirm you have understood.
Employee Assistance Programme / Health and Wellbeing Support
Data Processor
- Vita Health Group, St Helens and Knowsley Teaching Hospitals NHS Trust (MWL) – Absence Support Team
Type of data
- Personal Data – Demographics
- Special Category Data – Health Data
Source of Data
- Staff
Legal basis for processing Personal Data under UK GDPR
- Article 6 (1)(a) - Individual has given consent to the processing of personal data.
- Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems.
Vita Health Group specialise in the provision of the Employee Assistance Programme (EAP) and are a data processor for the Trust. To view their ‘Privacy Policy’ see:
https://www.vitahealthgroup.co.uk/data-protection-policy/
Occupational Health
Data Processor
- St Helens and Knowsley Teaching Hospitals NHS Trust (MWL) and Physio Med (for physiotherapy assistance)
Type of data
- Personal Data – Demographics
- Special Category Data – Health Data
Source of Data
- Staff
Legal basis for processing Personal Data under UK GDPR
- Article 6 (1)(a) - Individual has given consent to the processing of personal data.
- Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems.
Physio Med specialise in the provision of the Physiotherapy services and are a data processor for the Trust.
UK GDPR Article 15 - Right of Access Requests
Type of data
- Personal Data – Demographics
- Special Category Data – Health Data
Source of Data
- Staff
Legal basis for processing Personal under UK GDPR
- Article 6 (1)(a) – Consent (for personal data)
- Article 9(2)(a) - Explicit Consent (for special category data)
If you have requested to view or be provided with a copy of your personal data we hold about you your request for access will provide this consent. It will not be necessary to ask for identity checks if you are a current member of staff.
Childcare Vouchers
Data Processor
Type of data
- Personal Data – Demographics
Source of Data
- Staff
Legal basis for processing Personal Data under UK GDPR
- Article 6 (1)(a) – Consent
This childcare voucher is a service offered to you to support childcare costs. You need to access the website directly and provide your details online to the supplier. Please note by doing so you accept the risk of using this website and submitting your details online.
The NHS National Staff Survey
Data Processor
- Quality Health
Type of data
- Personal Data – Demographics
Source of Data
- Staff
Legal basis for processing Personal Data under GDPR
- Article 6 (1)(a) – Consent
This childcare voucher is a service offered to you to support childcare costs. You need to access the website directly and provide your details online to the supplier. Please note by doing so you accept the risk of using this website and submitting your details online.
- Using anonymous or aggregate information
We use pseudonymised, anonymised and aggregated data in the following ways:
- To undertake anonymous staff surveys / questionnaires using Survey Monkey
- To produce staff statistics for example, number of staff in each department for Human Resource purposes
- To respond to Freedom of Information requests using anonymised information if requested to provide information about staff.
- To provide an Employee Assistance Programme run by Insight. They run an independent counselling and advice service, which is paid for by the Trust. It is available for you and any family members who are over 16, who live at your address. You do not need to disclose your personal information to use this service. You only need to provide the access code and the Trust name.
Where information is used for statistical purposes as above, secure measures are taken to ensure individuals cannot be identified where the law doesn’t allow this. Anonymous / aggregate staff information may be passed to the council as part of integrated working.
- How we protect your personal data
Under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), strict principles govern our use of information and our duty to ensure it is kept safe and secure. Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards. We have an Information Governance Strategy and Framework that explains the data security governance within the Trust.
Technical assurance is provided regarding IT / Cyber processes in place as the Trust are required to complete the Data Security and Protection Toolkit (DSPT) which is an online assessment that must be completed every year by organisations who process Personal Data. It looks at what data protection, IT security and cyber security measures are in place. The Trust’s IT Department regularly monitor the network for potential vulnerabilities and attacks and look to always ensure security is strengthened.
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.
Under the NHS and Trust’s Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
Every NHS organisation has nominated staff with specific data protection responsibilities who are here to ensure your personal is safeguarded at all times, they are the SIRO, Caldicot Guardian and DPO.
Staff are reminded that actions within systems / emails and internet usage can be monitored, recorded and audited.
Everyone working for the Trust has a legal, ethical and contractual duty, enforceable through disciplinary procedures, to keep information confidential. As part of Information Governance mandatory training, all staff including contractors and committee members receive appropriate training and awareness regarding data security training to ensure you are aware of your personal responsibilities. We have incident reporting and management processes in place for reporting any IG (data) breaches or incidents. We learn from such events to help prevent further issues and inform data subjects of breaches when required.
- Retention and Destruction of personal data
Retention
Whenever we collect or process your data, we will only keep it for as long as is necessary for the purpose it was collected. In the NHS, all commissioners and providers apply retention schedules in accordance with the NHSX Records Management Code of Practice 2021. This code is based on current legal requirements and professional best practice and sets the required standard of practice in the management of records for those who work within or contract to NHS organisations in England.
For example, upon receipt of your recruitment information, information about your employment will be collated within your employee personal file for the duration of your employment, and for six years thereafter, or until your 75th birthday, whichever is sooner. Upon destruction of your file, a summary record is retained until your 75th birthday, unless your file is destroyed on your 75th birthday, when no further record will be retained. This is documented in the NHSX Records Management Code of Practice 2021.
Destruction
Destruction of data will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we:
- Ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a confidential waste disposal process. The Trust use VINCI FM to dispose of confidential waste. The Trust's Contract & Facilities Management manage and monitor the services provided by VINCI FM and ensures that the supplier complies with UK GDPR / DPA 2018 by documenting in a contract and / or obtaining assurance
- Ensure that electronic storage media used to hold or process information are destroyed or overwritten to national cyber security standard. The Trust’s IG Department manage this and are required to provide evidence as part of the Data Security and Protection Toolkit.
- Who we share your data with?
To support you in your employment and to enable us to meet our legal responsibilities as an employer, sometimes we will need to share your information with others. We will not disclose any staff information without an appropriate lawful principle, unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it, or to carry out statutory functions i.e. reporting to external bodies to meet legal obligations.
Sometimes we are required by law to disclose or report certain information, which may include details which identify you. For example, sending statutory information to government organisations such as HM Revenue and Customs, or releasing information to the police or counter fraud. Where mandatory disclosure is necessary, only the minimum amount of information is released. There may also be occasions when the trust is reviewed by an independent auditor, which could involve reviewing randomly selected staff information to ensure we are legally compliant.
Only organisations with a legitimate requirement will have access to your information and only under strict controls and rules.
We will not sell your information for any purpose and will not provide third parties with your information for the purpose of marketing or sales.
- Where is your data processed?
Your data is processed within the Trust and by other third parties as stated above who are UK based. The services these companies provided are under specific contractual terms, which are compliant with UK data protection legislation. Your personal data is not sent outside of the UK for processing.
- What are your rights over your personal data?
You have the following rights over your data we hold.
Right of access to personal data
Under the terms of the UK General Data Protection Regulation you have the right to request access to the information that we hold about you. This is known as a “Right of Access” request. We kindly request that this in provided in writing / email (please note this is not compulsory) in order to provide adequate information to process your request. There is no charge (subject to exemptions) to have a copy of the information held about you and we must respond to you within one month (subject to exemptions).
If you would like a copy of your personal data from St Helens & Knowsley Teaching Hospital NHS Trust please contact:
Legal Services
Whiston Hospital
Mersey and West Lancashire Teaching Hospitals NHS Trust
Warrington Road
Prescot
Merseyside
L35 5DRTelephone: 0151 430 1732
Email: Access.Disclosure@sthk.nhs.uk
Requests are handled in line with our ‘Subject Access Procedure’ and you can use the Access Request form to make your request if this is helpful. To request a copy of this form please contact the egal Services, Access and Disclosure team at the email address as above. If your request is posted please ensure it is marked to the private and confidential and addressed to the Legal Services, Access and Disclosure team. The team will liaise with the relevant department to ensure you receive your personal data.
Right to Rectification
If you think that there are inaccuracies in your record, you have the right to request that these be corrected or annotated. We have 1 month of receipt to deal with these requests.
Right to Erasure (‘to be forgotten’)
Only if we have your explicit consent for any processing we do, you have the right to request for the data you have consented to be deleted / erased.
Right to Data Portability
Only if we have your explicit consent for any processing we do, you have the right to have data provided to you in a format you have requested such as in an excel spreadsheet, csv file format.
Right not to be subject to a decision based solely on automated processing
The Trust do not process data using this method, so this right will not apply to our data processing activities.
Right to withdraw consent
You have the right to refuse (or withdraw) consent to information sharing at any time. However, this may not be possible if the sharing is a mandatory or legal requirement imposed on the Trust. Any restrictions, and the possible consequences of withholding your consent, will be fully explained to you as the situation arises.
Right to object to processing
You have the right to object to processing. However please note if we can demonstrate compelling legitimate grounds which outweighs the interest of you then processing can continue.
Right to restriction of processing
This right enables individuals to suspend the processing of personal information, for example, if you want to establish its accuracy or the reason for processing it.
If you wish to pursue any of the above rights, please contact the Information Governance Department.
- Complaints / Contacting the Regulator
If you feel that your personal data we hold at the Trust has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of personal data, please contact our Data Protection Officer (DPO) at the following contact details.
Camilla Bhondoo - IG@midmerseyda.nhs.uk
Or the PALS team - pals@sthk.nhs.uk
If you are not happy with our responses and believe we are not processing your personal data in accordance with the law you may wish to take your complaint to a supervisory authority, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
You can contact them by calling 0303 123 1133
Or go online www.ico.org.uk/concerns
Or write to them at:
Information Commissioners Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
- Further Information / Contact Us
We hope that this privacy notice has been helpful in setting out the way we handle your personal data at the Trust and your rights to control it. If you have any queries / or would like further information, please visit the useful websites below and / or contact us at the following contact details.
Information Governance Team
St Helens & Knowsley Teaching Hospitals NHS Trust
Alexandra Business Park
Court Building
Prescot Road
St Helens
WA10 3TP
Or via IG@midmerseyda.nhs.uk
- Links
If you would like to find out more useful information on the wider health & care social system approach to using personal information, please see the links below:
Updated June 2022
