Under the Data Protection Act, the Trust must provide a legal basis for the processing of your information without consent. The provision of personal data is necessary in order that the organisation can enter a contract with you to provide services for the organisation, predominantly we will process your information under the following legal basis’:

• Article 6(b) Necessary for the performance of a contract to which the data subject is party.
  and
• Article 9(b) Necessary in connection with employment.

We will not, generally, rely on consent as a legal basis for processing your personal data but in certain circumstances it may be deemed appropriate. Where you provide consent to the processing of your data, you will be asked at the time the data is processed and you should be aware that you will be able to withdraw your consent at any time.

The provision of personal data is necessary in order that the organisation can enter into a contract with you to provide services for the organisation. If you fail to provide the details requested, we may be unable to comply with the terms of any contract with you or comply with our legal obligations to you. On commencement of employment with the Trust, your personal data will be uploaded to the Electronic Staff Record (ESR). ESR is a workforce solution for the NHS which is used by the Organisation to effectively manage the workforce leading to improved efficiency and improved patient safety.

Inter Authority Transfer (IAT) is the process by which certain personal data is transferred from one NHS organisation to another when you accept an offer or your employment transfers. NHS organisations have a legitimate interest in processing your data in this way in establishing the employment of a suitable workforce. The streamlining staff movement principles include data sharing arrangements which are aimed at improving efficiencies within the NHS both to make cost savings for organisations but also to save you time when your employment transfers.

We will process the following categories of personal data about you:

Other information that will be collected as part of your employment are as follows:

• Use of the Trust IT systems including communications such as emails
• Details of your use of business-related social media such as LinkedIn and general social media

Your personally identifiable information will be managed from job application through to starting work. Your information is required to perform the necessary employment checks, issue a contract of employment, and ensure full compliance with current legal/regulatory requirements.

On rare occasions your information may be entered without having completed a job application. For example, obtained from an education provider or where employment checks are required for existing members of staff.

As outlined above, specific items of documentation will be required as part of your onboarding and this will be in line with NHS Employers’ guidance. Only the necessary information is shared with organisations which assist us with these checks, and it is only for the purpose of performing those checks.

To verify specific documentation such as Passports/BRP’s and any other accepted forms of photographic ID the Trust utilise an Identity document validation technology (IDVT) named Trust ID. During the ID verification process with Trust ID, your documentation will be checked against Amberhill for known fraudulent and counterfeit documents. This is a national Police database hosted by the Metropolitan Police.

This software is used by many other NHS trusts to minimise fraudulent documentation and ensure full compliance with Right to work legislation as set by home office standards. Both manual and face recognition checks are available and will function as an integral part of our onboarding process to minimise cases of Identity Theft or Counter Fraud.

Any information provided relating to ethnic origin, religious beliefs and sexual orientation will be used only for equal opportunities statistical monitoring of the recruitment process and workforce. This will be non-identifying data and will not affect your application if you choose to disclose or not disclose this information.

If you have indicated that you wish to be considered for an interview under the guaranteed interview scheme that information will be used purely for the purposes of arranging interviews.

If at any point during your onboarding process that you wish to withdraw your application, you can login to your applicant account on TRAC then withdraw your application.

In line with TRAC’s retention policy, your information will be deleted from their system once it is no longer regarded as necessary for the purpose for which it was collected. This is 399 days after the date the application was entered in TRAC or 199 days after your proposed/actual start date, whichever is the greater. This period allows obligations relating to lawful employment practices to be fulfilled such as statistical reporting and the defending of potential legal claims.

Personal data about our workforce is collected in many ways: through communications with you either face to face or in writing, email or on the telephone; through monitoring of our websites and our computer networks and connections, CCTV and access control systems, communications systems, remote access systems, from your doctors, from medical and occupational health professionals we engage, email and instant messaging systems, intranet, and internet facilities.

We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies.

We aim to ensure that our data collection and processing is always proportionate. We will notify you of any material changes to the information we collect.

Your personal information may also be used to fulfil other employer responsibilities, for example, to maintain appropriate occupational health records, comply with health and safety obligations, carry out any necessary security checks and all other employment related matters. In addition, the information held may be used in order to send you information which is relevant to our relationship with you. Your information will only be disclosed as required by law or to our appointed agents and/or service providers who may be used for a variety of services, for example, processing of payroll and provision of pensions administration or staff surveys.

IBM, who provide ESR, and its partners as service providers will be responsible for maintaining the system. This means that they may occasionally need to access your staff record, but only to ensure that the ESR works correctly. Where this happens, access will be very limited and is only to allow any problems with the computer system to be investigated and fixed as necessary. They will not have the right to use this data for their own purposes and contracts are in place with the Department of Health to ensure that the data is protected and that they only act on appropriate instructions. IBM and the ESR Central Team may access anonymised data about transactions on the ESR system in order to support the development and optimal use of the system.

Some of your personal information from ESR will be transferred to a separate database, known as the Data Warehouse. This will be used by various Government and other bodies (listed below) to meet their central and strategic reporting requirements. It will allow them to access certain personal information to generate the reports that they need and are entitled to. The Data Warehouse is intended to provide an efficient way of sharing information. Organisations currently granted access to the Data Warehouse are:

• NHS Digital
• NHS Employers
• Health Education England, and its local committees
• Deaneries
• Department of Health
• Care Quality Commission
• NHS Trust Development Authority

The government may allow further organisations to have access in the future and therefore an exhaustive list cannot be provided, however any organisation having access to your data will have a legal justification for access.

We process the personal data of our workforce for employment purposes but also to assist in running our organisation, for example by improving the management of our workforce we improve the experience of service users.
We will only use your personal data when the law allows us to. The GDPR sets out six legal bases for processing personal data. The most common legal bases for processing your personal data are:

• 1. Where we need to fulfil the employment contract, we have entered into with you.
• 2. Where we need to comply with a legal obligation.
• 3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We set out below the ways in which we process your personal data and the legal basis on which rely as set out in 1 – 3 above.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

We will keep the personal data we store about you accurate and up to date. Data that is inaccurate or out of date will be destroyed. You are responsible for notifying us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you. If you change your details or realise you have entered any details incorrectly, please email fhft.recruitment@nhs.net to update your record.

We will only process special category data about genetic and biometric data, and data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, and sexual orientation, where a further condition is also met.

The conditions which will usually apply are that we have a legal obligation to process the information, where it is necessary to assess your working capacity on health grounds or, less commonly, where it is needed in relation to legal claims.

We will use your special category data in the following ways:

• information relating to leaves of absence, which may include sickness absence or family-related leave, to comply with employment and other laws.
• information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
• information about your race or national or ethnic origin, religious, philosophical, or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
• trade union membership information to pay trade union premiums, register the status of a protected employee and to comply with employment law obligations.

You should be aware that certain roles within the organisation may require either a standard, enhanced or enhanced with barred list information DBS check to be carried out.

We will only require a DBS check to be made where the role is eligible, and the check shall be at the appropriate level only and no higher. We will assess the relevance of any cautions and convictions detailed in the DBS check to the role for which the applicant has applied.

Given the sensitive nature of the information contained in a DBS certificate, the organisation will ordinarily only retain on file information about the level of check which was requested and the date on which the certificate was obtained.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Retention periods for personal data will vary according to the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

You should be aware that employee documentation is ordinarily retained for six years after termination of employment, which is the statutory limitation period for breach of contract claims, and then promptly deleted once that period has passed. For unsuccessful job candidates, documentation is retained for six months after he or she is rejected for a role and then deleted.

However, it should be noted that there is some legislation which requires certain health monitoring data to be retained for up to 40 years and for clinical staff where there is a negligence claim in relation to a child, the normal three-year personal injury limitation period is extended until that child reaches 21 years of age. We have put a system in place so that the data of staff which may be at risk of certain diseases or where they were involved in an incident that could give rise to a clinical negligence claim which require a longer retention period than six years are marked appropriately as needing to be retained for a longer period.

If we are able to anonymise your personal data so that you can no longer be identified from it, we may use such information without further notice to you.

We may have to share your data with third parties, including third-party service providers. We may also need to share your data with third parties such as external contractors and our professional advisers.

We require third parties to respect the security of your data and to treat it in accordance with the law.
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

The following third parties may receive personal information about you for the following purposes:

We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if the third party agrees to comply with those procedures and policies, or if it puts in place adequate measures.

Maintaining data security means guaranteeing the confidentiality, integrity, and availability (for authorised purposes) of personal data.

This is in line with the Trust’s Data Protection and Confidentiality Policy.

We may also share your personal information due to:

• • Our obligations to comply with current legislation.
  • Our duty to comply with any Court Order which may be imposed.

Any request to disclosure personal data is always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons. We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation or other legal basis for disclosure. We may obtain and share personal data with a variety of other bodies, which may include:

• • HM Revenue and Customs (HMRC)
  • Disclosure and Barring Service
  • Home Office
  • Child Support Agency
  • Internal Audit
  • NHS Counter Fraud Authority
  • Department of Health
  • Central government, government agencies and departments
  • Other local authorities and public bodies
  • Ombudsman and other regulatory authorities
  • Courts / Prisons
  • Financial institutes for e.g., banks and building societies for approved mortgage references
  • Credit Reference Agencies
  • Utility providers
  • Educational, training, and academic bodies
  • Law enforcement agencies including the Police, the Serious Organised Crime Agency
  • Emergency services for e.g. The Fire and Rescue Service
  • Auditors e.g., Audit Commissioner
  • Department for Work and Pensions (DWP)
  • The Assets Recovery Agency
  • Relatives or guardians of an employee where there is a legal duty to do so

All staff working for the NHS are bound by strict confidentiality agreements. This means that only staff involved with your care are entitled to access information relating to you, which is detailed within the confidentiality agreements signed by staff as soon as they start working within the Trust.

The Trust ensures that all staff complete annual Information Governance training, which includes the Data Protection legislation and the Common Law Duty of Confidentiality, which will ensure that staff know and understand that they have an obligation to always keep your information secure and confidential.

The Trust’s Digital Services Department has deployed technical security measures to keep your information secure when being stored or transferred electronically, this includes ensuring all security software and encryption is up to date, helping to prevent the risk of a cyber-attack.

If any of your personal information is to be processed overseas e.g., outside of the UK, a full risk assessment will be undertaken to ensure the security of your information.

Data Protection Law gives individuals rights relating to the personal information that we hold about you.
These are:

• • To be informed of why, where, and how we use your information.
    This is detailed in the Staff Information Notice that you are reading now.
  • Ask for access to your information.
    Under the Data Protection Act, individuals have the right to make a Subject Access Request (SAR) which allows you to request a copy of your information that is held by us. There are several ways to request a copy of your records:
    • Email
    • Letter
    • Verbal request
  • You will need to provide documentation to confirm your identity and clarification of the information that you are requesting to support your request. The Access to Health Records Team will ask for the following information:
    • Proof of identity, e.g., copy of your valid passport / driver’s license
    • Proof of address, e.g., utility bill dated within the last year.
    • Details of information being requested.

It is important to note that the staff who process your request for information have met you, and we need to ensure that we are providing your confidential information to the correct person.

We are legally obliged to respond to your request within a calendar month of receiving both your request and identification. If we do not have the relevant information to process your request, we will contact you to ask for it, as we will be unable to process your request until all relevant information has been received.

Any individual requesting information from the Trust who is unhappy with how their request has been managed/processed, is asked to submit their complaint to the Trust’s Data Protection Officer.

Additionally, all individuals have the right to appeal to the Information Commissioner’s Office (ICO), further information can be found at www.ico.org.uk

• • Ask for your information to be corrected if it is inaccurate or incomplete.
    We have a legal obligation to ensure that your information is accurate and up to date.
  • Ask for your information to be deleted or removed where there is no need for us to continue processing it.
    This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it. We have a legal obligation to store your employment information. The length of time that we store your information is set out by the Records Management Code of Practice 2021. For further information on the retention of records within the NHS can be found on the NHS Digital website: https://digital.nhs.uk/codes-of-practice-handling-information
  • Ask us to restrict the use of your information.
    In some circumstances, we must ‘pause’ the processing of our use of your personal data if you ask us to. We do not have to comply if we need to retain your personal information if you make a legal claim against us.
  • Object to how your information is used.
    You have the right to object to the processing of your information in certain circumstances.
  • Challenge any decisions made without human intervention (automated decision making)
    An automated decision is one that is made with no human involvement. For example, where an organisation monitors sickness absence via a computer programme, and the disciplinary process is automatically triggered when an employee reaches a certain number of days’ absence.
    Please be aware that you will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

Please contact the HR services team in writing at fhft.askhr@nhs.net if you would like to exercise any of your rights under the GDPR.

Please be aware that whilst a fee will not normally apply where there is a request to access your personal data, we may charge a reasonable fee if your request for access is repeated and/or clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Throughout this Privacy Notice we have mentioned the following areas: