About this notice
The ICB needs to collect and process staff personal data in order to function effectively as an organisation. Personal data is processed for a variety of reasons (as set out below) and all such personal data will be collected and processed in accordance with the requirements of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
This notice explains how the ICB collects, uses and shares personal data relating to prospective, current and former employees, workers, self-employed contractors and consultants, and voluntary workers, (you/your) and your rights in relation to the processing of your personal data.
In this notice:
- personal data means any data which can identify you directly or indirectly (whether itself or when combined with other data), regardless of the format or media on which the data are stored. This includes data that can identify you when combined with other data that is held separately (pseudonymised data) but does not include data that has been manipulated so that you can no longer be identified from it (anonymous data). Examples, name, address, date of birth.
- Special Categories of personal data relates to information that is sensitive in nature and could cause harm to you or your reputation if processed inappropriately. Examples, health related information, criminal convictions, financial information.
- processing means any activity relating to your personal data including collection, use, alteration, storage, disclosure and destruction.
Changes to this notice
The ICB may update this notice at any time and may provide you with further notices on specific occasions where we collect and process personal data about you. You should check this notice regularly to take notice of any changes, however where any change affects your rights and interests, we will make sure we bring this to your attention and clearly explain what this means for you.
Questions or comments
If you have any questions or comments regarding this notice or you wish to exercise any of your rights (see below), you should contact our Data Protection Officer, the Head of Information Governance, by email at [email protected]
Who we are and what we do
Mid and South Essex Integrated Care Board (MSE ICB)
Phoenix Court, Christopher Martin Road, Basildon, SS14 3HG
Contact details can be found on the website: www.midandsouthessex.ics.nhs.net
The ICB is committed to ensuring the personal information of its applicants, current staff and previous employees is handled in accordance with the law.
The ICB is a ‘controller’ in relation to your personal data and is registered as such with the Information Commissioner’s Office (ICO) (registration number ZB338413).
How we collect your personal data
Most of the personal data set out in this notice will have been provided by or observed about you in the course of the application and recruitment process or during the course of your working relationship with the ICB.
The ICB may sometimes collect personal data about you from third parties including:
- your CV from any recruitment agencies that were authorised by you to approach the ICB regarding a position
- references from former employers, colleagues or other relevant parties
- information collected as a result of formal background checks, e.g. DBS checks
- other relevant information in the public domain
Types of personal data processed
Depending on your role, this notice sets out the types of personal data that the ICB may collect and process about you, including “special categories of personal data” which are particularly sensitive and require us to take additional steps to ensure their security and confidentiality.
We will collect and record information such as:
- your name, address and contact details, including email address and telephone number, date of birth and gender;
- the terms and conditions of your employment;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
- information about your remuneration, including entitlement to benefits such as pensions or insurance cover;
- details of your bank account and national insurance number;
- information about your marital status, next of kin, dependants and emergency contacts;
- information about your nationality and entitlement to work in the UK;
- information about your criminal record;
- details of your schedule (days of work and working hours) and attendance at work;
- details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
- assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence;
- information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
- details of trade union membership; and
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.
Your personal information is usually obtained from you directly or from a predecessor organisation under TUPE arrangements in the first instance. We may also obtain personal information about you from your manager, referees, relevant Regulatory Bodies, Pensions Service, DBS and Occupational Health.
Personal data provided by you about others
You may provide us with personal data about other individuals, for example, next of kin/emergency contact details and information about your family circumstances and dependents. You should notify the relevant person that you are providing their contact details to the ICB as your listed next of kin/emergency contact.
How the ICB uses personal data about you
Depending on your role, the ICB may process personal data (including special categories of personal data) about you for the following purposes:
- the administration of prospective, current and past employees including employed, self-employed, contract personnel, temporary staff or voluntary workers
- the recruitment and selection process
- administration of non-ICB staff contracted to provide services on behalf of the ICB
- the administration of payroll services
- planning and management of the ICB’s workload or business activity
- occupational health service
- pensions administration
- disciplinary matters, staff disputes, employment tribunals
- staff training and development
- usernames and log-ons to various internal and external sites and databases
- ensuring staff are appropriately supported in their roles
- vetting checks
- assessing the ICB’s performance against equality objectives as set out by the Equality Act 2010
- managing relationships effectively, lawfully and appropriately
- the provision of information to government departments or other bodies in order to meet our legal obligations, e.g. Inland Revenue, Nursing & Midwifery Council
- managing a safe environment and ensuring fitness for work
- providing information to potential purchasers of the organisation, or part of the organisation (TUPE)
- for the prevention and detection of crime
- provision of well being and support service
- for sending communications around staff engagement and organisational updates
Reporting
We extract various reports using ESR to enable the organisation to support and manage its staff. This information also feeds into relevant working groups and committees and annual reports.
We are regularly audited by internal and external audit who will request a sample of records to ensure we are following national legislation and local processes and policies
We have to report nationally on a number of mandatory requirements including the Workforce Race Equality Standard and Office for National Statistics. All information is anonymised
Lawful grounds for processing your personal data
We will only use your personal data when we are permitted to do so by law. Most commonly, we will use your personal data:
- to perform a contract the ICB has entered into with you or take steps before entering into a contract with you at your request (for example, your employment contract or contract for services)
- to comply with the ICB’s legal obligations (for example, complying with employment and tax, immigration, health and safety and safeguarding laws, preventing and detecting crime, assisting the police and other authorities with their investigations)
- where necessary for our legitimate interests or those of a third party provided your interests and rights do not override those interests (for example, evaluating the suitability of a candidate for a role or defending employment claims brought by you)
- to protect your vital interests or those of another person (for example, where we know or have reason to believe that you or another person may suffer harm)
- to carry out the obligations and specific rights of the ICB or employee in the field of employment and social security and social protection
- for establishment, exercise and defence of legal claims
- for preventative and occupational medication (for example, assessment of the working capacity of an employee)
In circumstances where you have a genuine choice as to whether we should process your personal data, we will ask you for your consent. The method used to obtain your consent will depend on the scope and context of the processing that we propose.
In relation to special categories of personal data, we may request your explicit consent unless a condition applies which allows us to process such personal data without doing so.
Sharing your personal data
Where the ICB has lawful grounds for doing so, the ICB may share your personal data with the following third parties in connection with your employment contract.
We may share with:
Who we share with | Reason | Website |
---|---|---|
Disclosure & Barring Service (DBS) | DBS checking | www.gov.uk/government/organisations/disclosure-and-barring-service |
Atlantic Data | Registered Umbrella Body: DBS application service | https://www.atlanticdata.co.uk |
Edenred | Childcare Vouchers | www.edenred.co.uk |
EPUT | To manage the Occupational Health contract with Optima | https://eput.nhs.uk/ |
HMRC | Taxation | https://www.gov.uk/government/organisations/hm-revenue-customs |
Conveya | Cloud based, Apprenticeship Management Online Platform | https://www.conveya.co/ |
NEST Pensions | Pension Service | www.nestpensions.org.uk |
NHS Pensions | Pension Service | www.nhsbsa.nhs.uk/nhs-pensions |
Whittington Health | Payroll Provider | www.whittington.nhs.uk |
Optima Health | Occupational Health | www.optimahealth.co.uk |
NHS Litigation Authority (NHSLA) | www.nhsla.com | |
KPMG | External Auditors | www.kpmg.com |
West Midlands Ambulance Service University NHS Foundation Trust | Internal Auditors | https://wmas.nhs.uk/ |
NHS Property Services | Estates Management | https://www.property.nhs.uk/ |
Arden & GEM CSU | IT Service Provider | www.ardengemcsu.nhs.uk |
We may also share anonymised information that could contain parts of your employment record. We can only do this if the information cannot be linked back to you.
We will not sell your information or use your information for marketing purposes.
At times it is necessary to access records for investigation purposes due to complaints or concerns. In these scenarios we may share your information with our solicitors and professional bodies in addition to:
NHS Protect
General Medical Council, Regents Place, 350 Euston Road, London, NW1 3JN
Nursing and Midwifery Council, 23 Portland Place, London, W18 1PZ
HCPC, Park House,184 Kennington Park Road, London, SE11 4BU
Data Processors
Where the ICB uses third parties to process personal data on its behalf (acting as data processors), a written contract will be put in place to ensure that any personal data shared will be held in accordance with the requirements of data protection law and that such data processors have appropriate security measures in place in relation to your personal data.
Our main Data Processors are:
- Optima Health and EPUT (Occupational Health)
- Whittington Health (Payroll services)
- Atlantic Data (DBS)
- Conveya (Apprenticeship Management Online Platform)
With the following data processors, minimal information is processed about you, usually just a name and email address for communication and/or log-on purposes:
- Arden & GEM Commissioning Support Unit (IT services, Athena – Strategic Data Platform)
- ProvePrivacy (Data Protection Compliance)
- Glasscubes (Cloud CollaborationPlatform)
- NHSmail (Email, Office 365, Sharepoint & Teams)
- e-shot (Digital communication platform for newsletters, staff comms and public campaigns)
These organisations are under contract with the ICB as a data processor and will process your data in strict accordance with guidance.
Please note that we may need to share your personal information with a regulator or to otherwise comply with the law, and the list above is not necessarily exhaustive.
Where your personal data is stored
Most personal data about you, including your personnel file, will be stored locally on servers that are maintained by our IT providers.
However, some personal data that the ICB processes about you may be accessed from, transferred to, or stored elsewhere in the UK; within the European Economic Area (EEA) or a country or territory outside of the EEA. The ICB will only transfer your personal data outside of the EEA:
- to a country or territory that has been determined as providing an adequate level of protection for your personal data.
- where the transfer is subject to one or more appropriate safeguards prescribed by law, including the standard contractual clauses approved by the European Commission.
- if the transfer is otherwise permitted by law or where you have given your explicit consent.
How the ICB keeps your personal data secure
The ICB has put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in any unauthorised way or altered or disclosed. In addition, the ICB limits access to your personal data to the persons and organisations, including those described above, who have a lawful and legitimate need to access it.
Our organisation uses computers, laptops and smart phones. All devices are fully encrypted, require a passcode or password to access and access can be removed at anytime.
All devices have virus scanning software and the latest updates to stop malicious software.
We also use a secure network and do not transmit any staff information unless it is protected by encryption.
Keeping your information confidential is our top priority. We will only access your records with a legitimate interest.
All information will be kept on an electronic personal file and a secure HR system called ESR. Access is restricted and all users have a unique audit trail to track who accesses any information and when.
ESR is managed and processed by IBM.
The ICB and the NHS ESR Team (part of NHS Business Services Authority) are the data controllers.
The ICB has also put in place procedures to deal with any suspected personal data security breach and will notify you and any applicable regulator of a suspected breach where legally required to do so.
How long the ICB will retain your personal data
The ICB must only to retain your personal data for as long as necessary to fulfil the purposes for which it was collected and to satisfy any legal, regulatory, accounting or reporting requirements.
We adhere to the Records Management Code of Practice 2021which sets out what people working with or in NHS organisations in England need to do to manage records correctly.
Appendix 3 of the Code contains the detailed retention schedules. It sets out how long records should be retained, either due to their ongoing administrative value or as a result of statutory requirement. The code can be found here.
As per the retention schedule linked to above, all relevant information in relation to your employment or engagement will be held by Human Resources and retained for six years after you have left the ICB or your engagement has ceased, after which time it will be summarised, the main file destroyed, and then held until your 75th birthday.
In some cases, the ICB may anonymise your personal data so that it can no longer be identified with you, in which case the ICB may retain such data indefinitely.
If notice of a claim or Pre-Action or Early Conciliation correspondence is received, then we may retain and process relevant personal data to defend the claim for the duration of the proceedings. Whilst we may dispose of any personal data after the conclusion of the claim, please be aware that all litigation documents disclosed or evidence given may be a matter of public record.
NHS Mail
Employees’ (and sometimes independent consultants and contractors’) work contact details will be publicly available via the NHSmail system. This will include name, job title, work address, email address and telephone number. This information is classified as ‘public’.
IT Services
IT services for staff are provided by a third party. This requires the ICB to disclose some personal data (name and email address) to this third party.
Staff using the service are also subject to the third party’s terms of use and privacy policy and are notified of these terms when issued with their account.
Staff email addresses are issued and used for communicating about ICB business. You may give further consent for your email address to be used for other purposes during your time here, e.g. joining a specific mailing list.
Your responsibilities
You must ensure that any personal data collected and processed by you in the course of performing your duties and obligations is held in accordance with the ICB’s suite of Information Governance policies.
Members of staff are able to access, amend or notify the ICB of any changes to their contact details via the ESR system. It is important the ICB has an accurate record of staff details in case there is a need to make contact with staff in emergency circumstances.
Your rights
You have a number of rights in relation to the processing of your personal data by the ICB:
- Access: You have the right to request access to and be provided with a copy of the personal data held about you together with certain information about the processing of such personal data to check that the ICB is processing it lawfully and fairly.
- Correction: You have the right to request correction of any inaccurate or incomplete personal data held about you.
- Deletion: You have the right to request erasure of any personal data held about you where there is no good reason for the ICB to continue processing it or where you have exercised your right to object to the processing of your personal data.
- Restriction: You have the right to request restriction of how the ICB processes your personal data; for example, to confirm its accuracy or the ICB’s reasons for holding it or as an alternative to its erasure.
- Objection: You have the right to object to the ICB’s processing of any personal data which is based on the legitimate interests of the ICB or those of a third party based on your particular circumstances.
- Portability: You have the right to receive or request that the ICB transfers a copy of your personal data in an electronic format where the basis of the ICB processing such personal data is your consent or the performance of a contract, and the information is processed by automated means.
- Complaints: You have the right to complain to the Information Commissioner’s Office (ICO) or any other EU supervisory authority in relation to how the ICB processes your personal data.
To exercise any of these rights you must contact the ICB’s Data Protection Officer (DPO) in the first instance, contact details are provided throughout this notice. The ICB may be entitled to refuse any request in certain circumstances and where this is the case, you will be notified accordingly.
Where the lawful ground relied upon by the ICB to process any of your personal data is your consent, you have the right to withdraw such consent at any time without having to give any reason. However, if you do so, the ICB may not be able to provide some or all of its services to you or the provision of those services may be affected.
You will not have to pay any fee to exercise any of the above rights, though the ICB may charge a reasonable fee or refuse to comply with your request if any request is clearly unfounded or excessive. Where this is the case, you will be notified accordingly.
To protect the confidentiality of your personal data the ICB may ask you to verify your identity before fulfilling any request in relation to your personal data.
Raising concerns
If you are concerned about the way we are handling your information or wish to make a complaint please contact Data Protection Officer (DPO), via email on [email protected]
If the issue cannot be resolved by our organisation, you have the right to report it to the Information Commissioners Office on the details below who are independent.
Website: www.ico.org.uk/concerns/
Phone: 0303 123 1113