Staff/employee Fair Processing Notice/Privacy Notice
Review dates/version control
V1: published December 2019
V2: updated March 2021 to include list of data processors and arrangements for new board portal software
What is this Fair Processing Notice about?
During the course of its employment activities, Buckinghamshire CCG will collect, store and process personal information about prospective, current and former staff. This Fair Processing Notice/Privacy Notice includes applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.
We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. The CCG is committed to protecting your privacy and complying with the Data Protection Act 2018 and General Data Protection Regulations (GDPR).
How do we collect your personal information?
We may collect your Personal Data in a number of ways, for example:
- At the point of recruitment to the CCG;
- When you contact the CCG via the HR Department; either via telephone or email;
- When you apply for an internal vacancy within the CCG;
- During the course of managing your employment with the CCG, i.e. appraisals, disciplinary, implementation of HR policies and procedures;
- Contact details you have provided for the purposes of managing the CCG’s Business Continuity Plan; and
- Information we receive from third parties such as HMRC, Disclosure and Barring Service (DBS) checks, external organisations seeking a reference and recruitment agencies.
What types of personal data do we handle?
In order to carry out our activities and obligations as an employer we handle data in relation to:
- Contact details such as names, addresses, telephone numbers and other contact information that allow us to meet our organisational and statutory obligations to you as your Employer;
- Emergency contact(s) including details of family members and Next of Kin details;
- Education and training, incl. development reviews (appraisals);
- Employment / identity records (including professional membership, qualifications, references and proof of identity and eligibility to work in the UK) and other security screening information;
- Bank details;
- Pay, benefits and Pension details (incl. National Insurance number);
- Information around travel and subsistence;
- For staff driving a vehicle for work purposes: vehicle details, details of driving licence and vehicle insurance, tax, MOT etc.;
- Personal demographics (including protected characteristics such as gender, race, ethnicity, sexual orientation, religion, date of birth, marital status, nationality);
- Medical information including mental and physical health;
- Information relating to health and safety;
- Trade union membership;
- Offences (including alleged offences), criminal proceedings, outcomes and sentences;
- Employment Tribunal applications, Employee Relations cases, complaints, accidents, and incident details;
- Employment details (position, salary, FTE etc.) Status in relation to organisational change;
- Support provided under employee assistance programmes.
In addition, we may collect the following types of special categories of personal data
- Racial or ethnic origin religious preference, sexual orientation, disability, marital status & criminal record information;
- Health data disclosed by you as part of an Occupational Health screening questionnaire and/or referral;
- Qualifications and employment history; and
- Absence information.
Please note this list is not exhaustive and may change over time.
Our staff, and those of NHS South Central and West CSU which is commissioned to provide our HR service, are trained to handle your information correctly and protect your confidentiality and privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.
Your personal information will not be disclosed to a third party without your consent, unless the law allows or requires us to do so or another legal basis is clearly established.
Your information is never collected or sold for direct marketing purposes.
How Do We Use the Information We Collect?
We may use your personal data in the following ways:
- To ensure that the information we hold about you is kept up-to-date;
- To deal with any employee / employer related disputes that may arise;
- Payroll purposes;
- For assessment and analysis purposes to help improve the operation and performance of the CCG;
- To inform the development of recruiting and retention policies so that they are relevant to the CCG’s workforce;
- To enable the monitoring of protected characteristics in accordance with the Equality Act 2010 and ensure that the CCG continues to meet equality standards;
- To prevent, detect and prosecute against fraud;
- To respond to requests made by other authorities such as the police, government departments and local authorities with the regulatory powers to request access to personal data without the consent of the data subject for the purposes of the prevention or detection of crime.
- In accordance with the consent provided by you as part of your terms and conditions of employment; and
- To comply with the CCG’s legal obligations as an employer; i.e. HMRC and pensions.
What is the purpose of processing data?
- Staff administration and management (including payroll, performance and monitoring);
- Pensions administration;
- Business management and planning;
- Accounting and Auditing;
- Accounts and records;
- Crime prevention and prosecution of offenders;
- Health administration and services;
- Information and databank administration;
- Sharing and matching of personal information for national fraud initiative.
Legal basis for processing
For entering into and managing contracts with the individuals concerned, for example our employees the legal basis is GDPR Article 6(1)(b) – ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
Where we have a specific legal obligation that requires the processing of personal data, the legal basis is Article 6(1) (c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.
For other processing of personal data about our employees, our legal basis is Article 6 (1) (b) Contract: processing is necessary for the performance of a contract to which the data subject is party Article 6(1) (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Where we process special categories data for employment purposes the condition is: Article 9(2)(b) – ‘…processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’.
For the processing of information about the health of our workforce, the legal basis is: Article 9(2) (h) – ‘ …processing is necessary for the purposes of preventive or occupational medicine…assessment of the working capacity of the employee…the provision of health or social care…’.
How Will We Manage Information We Receive About You?
Where we have received personal data from a third party about you (such as a previous employer, HMRC) we will provide you with:
- The identity and contact details of the third party;
- The purpose for processing your personal data and the legal basis; and
- The categories of personal data received.
Use of third party companies
To enable effective staff administration, NHS Buckinghamshire CCG may share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer. All third party services commissioned by the CCG must comply with the latest Data Security Protection Toolkit.
As part of the CCG’s Information Governance assurance process we will check that each provider can provide assurance of GDPR compliance, which provides the CCG with assurance that they are handling your personal data to the current information security, records management, data protection and confidentiality standards.
Sharing your information
There are a number of reasons why we may have to share your personal information with third parties to provide us with support services. These organisations will process information on our behalf. There may also be circumstances where information is shared without your consent, for example:
- The disclosure is necessary for a statutory function of the CCG or the third party to whom the information is being disclosed;
- There is a statutory obligation to share the data; for example, making returns to the Cabinet Office, Department of Health, Office of National Statistics etc.
- Disclosure is required for the performance of a contract;
- Disclosure is necessary to protect your vital interest; for example, in medical emergency situations;
- Disclosure is made to assist with prevention or detection of crime, or the apprehension or prosecution of offenders;
- Disclosure is required by a Court Order;
- Disclosure is necessary to assist the CCG to obtain legal advice.
These organisations are known as “data processors”. A summary Data Flow Map (Register of Processing Activities) is provided here.
Recruitment, Employee Records and Contracts Administration (NHS South, Central and West Commissioning Support Unit)
NHS South, Central and West CSU works in partnership with the CCG to provide a shared HR service.
We share information with the NHS South, Central and West CSU and allow them access to employee personal data as they are responsible for undertaking our recruitment (including pre-employment checks; creating and updating all employee data in ESR (see below); and maintaining employee personal files.
NHS South, Central and West CSU may work with external service providers in order to provide this service, e.g. electronic recruitment systems and criminal record check systems.
Payroll and Pensions Administration (Salisbury NHS Foundation Trust)
The payroll of the CCG is managed by Salisbury NHS Foundation Trust. Your personal information will be made available to Salisbury NHS Foundation Trust through the Electronic Staff Record (ESR) (see below) in order to allow them to pay your salary, any associated expenses, to make appropriate deductions and to comply with our legal and statutory obligations.
From time to time we may need to share additional information to that held in ESR with Salisbury NHS Foundation Trust in order to ensure that they deliver the services we require and continue meet statutory or contractual obligations. Data will also be shared with pension providers, e.g. NHS Pensions.
Electronic Staff Record (ESR)
Your personal information may also be used to fulfil other employer responsibilities, for example, by to maintain appropriate occupational health records, comply with health and safety obligations, carry out any necessary security checks and all other employment related matters.
In addition, the information held may be used in order to send to you information which is relevant to our relationship with you.
Your information will only be disclosed as required by law or to our appointed agents and/or service providers who may be used for a variety of services; for example, processing of payroll and provision of pensions administration or staff surveys.
NHS Business Services Authority (BSA), who provide ESR, and its partners as service providers will be responsible for maintaining the system. This means that they may occasionally need to access your staff record, but only to ensure that the ESR works correctly.
Where this happens, access will be very limited and is only to allow any problems with the computer system to be investigated and fixed as necessary. They will not have the right to use this data for their own purposes and contracts are in place with the Department of Health to ensure that the data is protected and that they only act on appropriate instructions.
NHS Business Services Authority (BSA) and the ESR Central Team may access anonymised data about transactions on the ESR system in order to support the development and optimal use of the system.
Some of your personal information from ESR will be transferred to a separate database, known as the Data Warehouse. This will be used by various Government and other bodies (listed below) to meet their central and strategic reporting requirements.
It will allow them to access certain personal information to generate the reports that they need and are entitled to. The Data Warehouse is intended to provide an efficient way of sharing information.
Organisations currently granted access to the Data Warehouse are; NHS Digital, NHS Employers, Health Education England and its local committees (LETBs), Deaneries, Department of Health, Welsh Government, NHS Wales Shared Services Partnership, Care Quality Commission, NHS England and NHS Improvement.
The government may allow further organisations to have access in the future and therefore an exhaustive list cannot be provided, however any organisation having access to your data will have a legal justification for access.
Occupational Health Service Provider
The CCG’s Occupational Health Service is managed by an external provider – Oxford Health NHS Foundation Trust (OHFT). Your personal information will need to be shared with the provider as and when required in order to allow them to provide CCG employees and managers with the services required.
We provide information to our internal audit function which is provided by an external service provider RSM, in order to ensure the CCG has good processes and systems to manage and protect public funds.
Prevention and Detection of Crime and Fraud
The CCG is responsible for protecting the public funds it manages. To do this we may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.
Admincontrol Board Portal software provides staff with shared access for CCG staff to meeting papers via a secure sharing platform which is hosted several locations – Oslo and Drammen, Norway. A default Privacy Statement from Admincontrol as data processor for this platform is published here.
It confirms sub-processor arrangements as are in place to operate the platform – specifically email correspondence and SMS messaging. Although the agreement confirms data retention periods, it does not specify the locations of these sub-processors as are referred to in the data processing agreement. These data processing locations are:
- Mailjet – Paris, France – email fields: from, to, subject, date
- Office 365 – Dublin, Ireland – email fields: from, to, subject, date
- Link Mobility – Oslo, Norway – phone number, name
- Nexmo (Vonage) – New Jersey, United States – personal data removed with advanced auto-redact
- Lekab – Sweden, Ireland – phone number, name
The legal basis for processing under GDPR article 6, 1 (b) CONTRACT: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (i.e. a staff member’s contract of employment).
A flow of data to be processed in Oslo is also permissible within current data protection law by virtue of a signed data processing agreement to operate the platform interface. As data controller and employer, the CCG has sought the IG/IT compliance ISO, Cloud compliance, registration with their respective supervisory authority etc. for all the processors and sub-processors (vendors) involved.
We may also share your personal information due to:
- Our obligations to comply with current legislation
- Our duty to comply with any Court Order which may be imposed
Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.
We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation or other legal basis for disclosure.
We may obtain and share personal data with a variety of other bodies, which may include:
- Her Majesty’s Revenue and Customs (HMRC)
- Disclosure and Barring Service
- Home Office
- Child Support Agency
- Internal Audit, service currently provided by Deloitte LLP
- NHS Counter Fraud Authority
- Department of Health
- Central government, government agencies and departments
- Other local authorities and public bodies
- Ombudsman and other regulatory authorities
- Financial institutes for e.g. banks and building societies for approved mortgage references
- Credit Reference Agencies
- Utility providers
- Educational, training and academic bodies
- Law enforcement agencies including the Police, the Serious Organised Crime Agency
- Emergency services for e.g. The Fire and Rescue Service
- Auditors e.g. Audit Commissioner
- Department for Work and Pensions (DWP)
- The Assets Recovery Agency
- Relatives or guardians of an employee where there is a legal duty to do so
National Fraud Initiative Privacy Notice
NHS Buckinghamshire CCG is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.
Staff personal data such as contact details may be provided to bodies responsible for auditing, administering public funds or where undertaking a public function for the purposes of preventing and detecting fraud. This is done in line with the Cabinet Office’s National Fraud Initiative, a data matching exercise that is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.
Data matching by the Cabinet Office is subject to a Code of Practice.
View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.
More details on counter fraud and bribery, including related CCG policy, is published here https://www.buckinghamshireccg.nhs.uk/counter-fraud-and-bribery/
Transferring data outside of the EEA/EU
The CCG does not routinely transfer information outside of the European Economic Area, unless it is required for the delivery of the above HR, payroll and occupational health services. Where information is transferred outside of the EEA/EU, we will ensure that such transfers are compliant with the Data Protection Act and GDPR and that appropriate measures are put in place to ensure security of your information is maintained.
Register of Processing Activities (ROPA)
TABLE 1: Data Flow Map (Register of Processing Activities) for processors used by the CCG to manage support services for its employees
Evidence of fee payment to the Information Commissioners Office (ICO) – or equivalent where the processor is not registered in the UK
- All organisations that have access to personal identifiable data and systems must be registered as a fee payer
- Each entry shows the registration number for the company /organisation listed.
Note: this table includes only those processors known to regularly process under formal contract. It does not include processing by other government agencies, e.g. HMRC.
|Data Processor||Purpose of data processing||Evidence of fee payment|
|Admincontrol, Oslo and Drammen, Norway||Board/meeting software portal – platform hosting||With the introduction of EU GDPR in 2018, there are no longer any requirements to register with supervisory authorities, as it was in the previous Data Protection Directive 95/46/EC.|
|Mailjet – Paris, France||Board/meeting software portal – email fields: from, to, subject, date||As above|
|Link Mobility – Oslo, Norway||Board/meeting software portal – phone number, name||As above|
|Nexmo (Vonage) – New Jersey, United States||Board/meeting software portal – personal data removed with advanced auto-redact||As above|
|Lekab – Sweden, Ireland||Board/meeting software portal – phone number, name||As above|
|ASE Corporate Eyecare||Eyecare assessment referrals||Z5950151|
|NHS Business Services Authority (BSA)||Electronic Staff Record (ESR)||Z9395747|
|NHS South Central and West Commissioning Support Unit||Human resources function, Information Technology hardware and software support services||Z2950066|
|Oxford Health NHS Foundation Trust||Occupational Health Service||Z1411013|
|Pageone communications Ltd||Text message alerts||Z7689231|
|Salisbury District Hospital NHS Trust||pensions and payroll for CCG staff||Z6613850|
|SEL Expenses||Travel expenses, plus HR case management, job evaluation and workforce management||ZA757880|
|TIAA||Local counter fraud specialist||Z7336825|
|Workplace Options||Employee Wellbeing Solutions||Z6688207|
What if the data you hold about me is incorrect?
It is important that the information which we hold about you is up to date. If you believe that the information we hold is incorrect, in the first instance please contact your line manager or workforce team at email@example.com
How long do we keep your information?
We hold data securely in line with the Records Management Code of Practice for Health and Social Care 2016 https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016
Individual Rights and Subject Access Requests
Data Protection laws give individuals rights in respect of the personal information that we hold about you. These are:
- To be informed why, where and how we use your information.
- To ask for access to your information.
- To ask for your information to be corrected if it is inaccurate or incomplete.
- To ask for your information to be deleted or removed where there is no need for us to continue processing it.
- To ask us to restrict the use of your information.
- To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
- To object to how your information is used.
- To challenge any decisions made without human intervention (automated decision making)
Further information about these individual rights is provided in the CCGs IG & Data Security and Protection Policies and IG Handbook which can be found at https://www.buckinghamshireccg.nhs.uk/public/about-us/how-we-make-decisions/strategies-and-policies/
Requesting Access to your Personal Data – Subject Access Requests
Under data protection legislation, you have the right to request access to information about you that we hold (otherwise known as a Subject Access Request).
To make a request for your personal information, should you have any further queries on the uses of your information, or should you wish to lodge a complaint about the use of your information please contact the CCG Data Protection Officer:
Governance Manager | Oxfordshire Clinical Commissioning Group | Jubilee House | Oxford Business Park South | Cowley | Oxford | OX4 2LH | Tel: 01865 336795 x 9152 | Email: firstname.lastname@example.org
The provision of this information will be free of charge and provided in a format of your request, i.e. hardcopy or electronic via secure email. The CCG will endeavour to respond to your request within 40 days.
In addition to the right of access, you also have the right of rectification or erasure of personal data or restriction of processing of your personal data, except where this is mandated by law.
Breaches and complaints
Management of a Breach Involving Your Information
The CCG is committed to managing all data breaches in a timely and efficient manner, and will endeavour to respond to any data breach within 72 hours.
Data breaches will be managed in accordance with the CCG’s Information Security Incident Process, the current version of which is published here
Should you wish to raise a complaint regarding the management of your information you can do so in the following ways:
Informal Resolution – you should raise your concerns with your line manager, who will liaise with the Governance Team regarding the use and management of your information.
Formal Complaint – you may raise your complaint in writing to the CCG Data Protection Officer through the contact details given above (under Subject Access Requests)
Independent Investigation – if you are unable to obtain local resolution through the CCG, you can contact the Information Commissioner’s Office which is a UK independent public body responsible for upholding information rights and data privacy at:
Tel: 0303 123 1113
By Post: Information Commissioner’s Office