Recruitment/Staff Privacy Notice
This privacy notice is for staff and prospective staff of the Practice. If you are a patient, carer or relative, you should see our patient privacy notice. This patient privacy notice will also apply, in addition to the staff privacy notice, where staff are involved in health initiatives, including COVID-19 research.
Millgate Healthcare Partnership is registered as a data controller with the Information Commissioner’s Office (ICO) as part of the Data Protection Act 2018. We are committed to collecting, storing and processing personal information in line with UK Data Protection Law and the General Data Protection Regulation (GDPR).
For the purposes of this privacy notice, the term ‘staff’ includes:
- workers, including agency, casual and contracted staff
- work experience placements
We reserve the right to update this privacy notice at any time, and we will notify you with a new privacy notice if we make any substantial updates. From time to time, we may also let you know about the processing of your personal information in other ways.
Types of information we collect
This is information that identifies you, like your name or contact details.
It is important that the personal information we hold about you is accurate and up to date. Please let us know if your personal information changes during your working relationship with us.
If any changes are required, please let us know by contacting your line manager in the first instance or emailing the Practice Manager.
Special category personal information
Some of the information we collect is special category data, or sensitive data, which can include:
- your race or ethnicity
- religious beliefs
- trade union membership
- health, including physical and mental health
- sexual orientation and gender
- criminal convictions
Extra safeguards are applied to special category information, and we must be able to demonstrate a legitimate reason to hold and use it.
Coronavirus (COVID-19) self isolation
In addition to information relating to your health, the Practice may also collect and process information relating to coronavirus (COVID-19) self isolation status, to help with workforce planning and ensure continuity of services.
The lawful basis will be GDPR Article 6(1)(e), that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (the provision of statutory health care services).
The exemptions in GDPR Article 9(1)(g) and 9(2)(h) will be applied, that processing is necessary for matters of substantial public interest or for the management of health care systems. The conditions in paragraphs 2 (management of health care systems) and 3 (public health) are engaged.
Laws on information processing
The Practice will only process your personal information where we are able to do so by law, under the legal basis available through the Data Protection Act 2018 and General Data Protection Regulation 2016 (GDPR).
The legal bases we use most often to collect information are:
- entering into and managing our employment contract
- legal obligations where processing is necessary for compliance, for example, informing HMRC of your tax and National Insurance contributions
- when considering employees’ rights as potential members of the Practice
- where the Practice may rely on its legitimate interests, where a formal assessment has been made and recorded
- Where we process sensitive personal or special categories of data about you, we will ensure this is done only where one of the following conditions applies:
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller, or the data subject, in the field of employment and social security and social protection law
- processing is necessary for the purposes of preventive or occupational medicine, assessment of the working capacity of the employee, or the provision of health or social care
- If you require further information about the legal basis for any specific aspect of processing please email the Data Protection Officer.
When we collect information about you
If you apply for a job
When you apply for a position with the Practice, you will give us relevant information about you which includes:
- personal contact details
- details of your skills, qualifications, employment history, experience, and professional membership (if relevant), and training history
- referee details
If you are invited to interview
During recruitment and selection, we will collect additional information like:
- correspondence, interview notes, and results of any tests you’re asked to complete as part of the selection process
- copies of qualifications and certificates
- pre-employment checks, including referees
- your nationality and immigration status, to confirm your eligibility to work in the UK
- your national insurance number, tax and bank details
- details of your pension
- remuneration, including salary and entitlement to benefits
- trade union membership
- criminal record
- ethnicity, gender, health, religion or sexual orientation
- medical history relevant to your employment, including physical health, mental health and absence history
- publicly available information, like your social media presence
If you become an employee
If you are employed by us, we may collect additional information like:
- your image, for security and ID badges
- education and training history
- appraisal and performance reviews
- security and audit data when you use Primary Care Tameside & Glossop Integrated Care FT IT equipment and systems, including the use of NHS smart cards
- your performance, sickness absence and other work related matters
- CCTV recordings when you’re on Practice premises
- personal data recorded as a normal part of your work activity
- data relating to employee relations, like disciplinary proceedings or complaints
Why we collect your information
We will use your information to administer your employment and associated functions. Your information may be shared between relevant colleagues who need the information to carry out their duties, like your line manager, Practice Manager or Partners.
We use staff data to meet our legal obligations as an employer, which include:
- recruitment and selection
- compliance with visa requirements
- maintaining staff records, including payroll, benefits, corporate travel and other reimbursable expenses, development and training, absence monitoring, performance appraisal, conduct, management progress, disciplinary and grievance process and complaints, pensions administration, and other general admin and human resource related processes
- monitoring equal opportunities
- payment of trade union membership fees
- providing facilities, like IT systems access, library services and car parking
- preventing and detecting crime, like using CCTV and photo ID badges
- communicating about the Practice, including news and events
- maintaining patient health records, in line with the Practice’s clinical records keeping standards
- managing safe environments and fitness to work
- managing human resources process, like sick pay, managing absence, parental leave, and workforce planning
- occupational health and wellbeing services
- service quality monitoring
- maintaining contact with former employees
We maintain electronic and paper records that relate to your recruitment and employment. This information is held by the Practice Manager and locally, with your line manager. All paper files are securely stored and only relevant staff will be able to access this information.
Electronic information is accessed on a need to know basis, using the Practice’s secure electronic drives, where access is only granted to appropriate individuals.
Data sharing with third parties
We may disclose personal and sensitive information to a variety of recipients when:
- there’s a legal obligation to share
- it’s necessary for the performance of your employment contract
- you have consented to the sharing
Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances, and with the appropriate security controls in place. Information is only disclosed to those agencies and bodies who have a need to know, when there is a lawful basis to do so.
Your Practice contact details may be shared where there is a legitimate reason to do so and this is appropriate to your role and responsibilities, and recipients may include:
- our employees, agents and contractors where there is a valid reason for them receiving the information
- professional and regulatory bodies in relation to the confirmation of conduct, including complaints, job description and information provided as part of the recruitment process
- government departments and agencies where we have a statutory obligation to provide information, like HMRC and the Department of Health
- third parties who work with us to provide staff support services, like counselling
- crime prevention or detection agencies, like the police and security organisations
- the Parliamentary and Health Service Ombudsman
- internal and external auditors
- courts and tribunals
- trade union and staff associations
- relatives or guardians of an employee
- NHS Business Services Authority
Other NHS organisations
To streamline staff movement, we may share your information if you accept an offer with another NHS organisation, or your employment transfers or is seconded to another NHS organisation.
The following information may be shared if there is a legitimate business interests of the two organisations to do so:
- personal data to verify who you are, like your name, date of birth, address, NI Number
- employment Information to allow for correct pay and annual leave and sickness entitlements, like your position, salary, and dates of any sickness
- training compliance and competency dates, to reduce the need to repeat nationally recognised training and statutory and mandatory training
This information will be shared via the Inter Authority Transfer (IAT) which is the secure process where information is transferred from one NHS employer to another.
When it comes to personal data held about you by the Practice, you have the right to:
- request access
- request the correction of inaccurate or incomplete information, subject to certain safeguards
- request that your information is deleted or removed where there is no need for us to continue processing it, and when the retention time has passed
- to ask that we restrict the use of your information, based on personal circumstances
- to withdraw your consent for the collection, processing and transfer of personal information for a specific purpose
- to object to how your information is used
- to challenge automated decision making
Further information about these rights can be obtained from the Information Commissioner's Office.
How to access your personal data
If you require copies of personal information held by the Practice, speak to your Practice Manager.
The Practice may refuse your request in full or in part, where there is a legal basis to refuse and you will be informed of this.
If you have any further questions on the uses of your information, please contact the Practice Manger or email the GP Practice Data Protection Officer Jane Hill at Jane.firstname.lastname@example.org
If we can’t resolve your concern, you have the right to lodge a complaint with the Information Commissioner's Office