The Trust collects, stores and processes personal information about prospective, current and former staff, as part of employment activities.
This Privacy Notice includes applicants, employees (and former employees), workers (including agency, bank and contracted staff), volunteers, trainees and those carrying out work experience.
We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.
You can request a copy of information the Trust holds about you by asking your line manager or emailing our HR subject access requests team.
In order to carry out our activities and obligations as an employer we handle data in relation to:
- Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
- Contact details such as names, addresses, telephone numbers and Emergency contact(s)
- Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
- Bank details
- Pension details
- Medical information including physical health or mental condition (occupational health information)
- Information relating to health and safety (including CCTV)
- Trade union membership
- Offences (including alleged offences), criminal proceedings, outcomes and sentences
- Employment tribunal applications, complaints, accidents, and incident details
Staff are trained to handle your information correctly and protect your confidentiality and privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.
Your information is not processed overseas.
The Trust needs to process staff personal data in order to function effectively as an organisation. Examples of these are:
- Our obligations to comply with legislation
- Our duty to comply any Court Orders which may be imposed
- Staff administration and management (including payroll and performance)
- Pensions administration
- Business management and planning
- Accounting and auditing
- Accounts and records
- Crime prevention and prosecution of offenders
- Education
- Health administration and services
- Information and databank administration
- Sharing and matching of personal information for national fraud initiative
The Trust shares staff information with a range of organisations or individuals for a variety of lawful purposes, including:
- Disclosure to Data Processors e.g. to companies providing archive storage of personnel records under contract to the Trust
- Public disclosure under the Freedom of Information Act e.g. requested names or contact details of senior managers or those in public-facing roles
- Disclosure of job applicant details e.g. to named referees for reference checks, to the Disclosure and Barring Service for criminal record checks, to named GPs for health checks, to housing agencies for staff relocation or accommodation
- Disclosure to employment agencies e.g. in respect of agency staff
- Disclosure to banks & insurance companies e.g. to confirm employment details in respect of loan/mortgage applications/guarantees
- Disclosure to professional registration organisations e.g. in respect of fitness to practice hearings
- Disclosure to Occupational Health professionals (subject to explicit consent)
- Disclosure to police or fraud investigators e.g. in respect of investigations into incidents, allegations or enquiries
Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a ‘need to know’ or where you have consented to the disclosure of your personal data to such persons.
To enable effective staff administration the Trust may engage with third party organisations to process your data on our behalf. These organisations are known as data processors and we ensure that they are legally and contractually bound to the Trust. We have in place agreements to ensure these third parties abide by data protection legislation.
We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.
We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.
All our records are destroyed and retained in line with the NHS Records Management Code of Practice which set out the appropriate length of time each NHS record is held for. We do not keep your records for longer than necessary.
All records are destroyed confidentiality once their retention period has been met and the Trust has made the decision that the records are no longer required.
Data protection laws give individuals rights in respect of the personal information that we hold about you. These are:
- To be informed why, where and how we use your information.
- To ask for access to your information.
- To ask for your information to be corrected if it is inaccurate or incomplete.
- To ask for your information to be deleted or removed where there is no need for us to continue processing it (This only applies when certain conditions are met).
- To ask us to restrict the use of your information.
- To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information (This only applies when certain conditions are met).
- To object to how your information is used.
- To challenge any decisions made without human intervention (automated decision making)
Please note, under data protection legislation, some exemptions apply which may restrict the above rights. Information on these exemptions can be found on the ICO website.
We may use RPA (Robotic Process Automation) when processing your information. This is where an online robot (known as a digital worker) undertakes administrative tasks that would usually be done by a person.
If you have any questions or concerns regarding how we use your information, please contact the Trust's Data Protection Officer:
The Information Governance Manager
The Clatterbridge Cancer Centre NHS Foundation Trust
Clatterbridge Cancer Centre – Wirral
Clatterbridge Road
Wirral
CH63 4JY
Call 0151 556 5844
The Information Commissioner’s Office (ICO) is the regulator for current data Protections Laws and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information.
Additionally, you have the right to complain to the Information Commissioner if you should ever be dissatisfied with the way the Trust has handled or shared your personal information:
The Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Call 0303 123 1113 or 01625 545745
Visit the Information Commissioner’s Office website
This privacy notice will be reviewed on a regular basis to ensure it is in line with national guidance and legislation. This privacy notice was last reviewed in January 2023.
Staff can consent to uploading their employment records to the Digital Passport to be able to more easily move between different NHS organisations.
You will have full control over how the passport is used – it will be accessible on your mobile – and you choose when you wish to share it.
What data will be processed?
Information processed will include:
- Name, date of birth (DOB), NI number, ID photo
- Employment information and professional registration details
- Clinical training, skills and qualifications including restrictions on your practice
- Limited healthcare information related to your employment (Occupational Health clearance)
Legal basis for processing
The lawful bases for processing information for employment purposes are:
- 6(1)c legal obligation
- 6(1)e public task
- 9(2)b employment, social security and social protection
- 9(2)h health or social care
- 9(2)i public health
As sign-up to the passport is voluntary, the processing for the passport is based on consent – 6(1)a and 9(2)a.
Your current employer is the controller of your passport data. The system is hosted by Blackpool Teaching Hospitals NHS Foundation Trust (BTH), who are the data processor, and will be stored by BTH in the Microsoft Azure cloud. Data stored is encrypted and BTH staff do not have access to your data.
Evernym and Truu provide components of the technical solution but will not have access to your personal data and will not act as Data Processors.
Sitekit provide secondary technical support for the digital passport system. Sitekit will not routinely have access to your personal data, but there may be occasions where personal data is shared with Sitekit staff during the course of providing technical support. Any personal data obtained in this way by Sitekit will only be used to enable technical support, and will not be used for any other purpose or retained by Sitekit in any way.
Sitekit are an approved NHS subcontractor who have been subject to stringent Data Protection Impact Assessments and meet Data Security and Protection standards.
Your data will be sent electronically from the Trust ESR system to the Staff Passport system, in order to streamline and safeguard this process we will be required to use a component provided to us by Cloud Gateway.
How long will you keep my data?
COVID-19 Digital Staff Passports will only be valid for the duration of the current COVID-19 health emergency. Once this emergency has ended and there is no longer a need for the scheme, all digital passports will be revoked by the creating organisation.