Staff Privacy Notice

Staff Data

If we are your employer we process your data to enable us to undertake our responsibilities under law.

Personal data provided by staff members for the purpose of employment:

6(1)(f) Necessary for the purposes of legitimate interests

Special category data provided by staff members for the purpose of employment:

This data is required to manage the operation of the organisation and to ensure compliance with the terms and conditions outlined in your contract, as part of your employment.

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;

System Monitoring

We will adhere to the Information Commissioners Office guidance in relation to the monitoring of staff activity within electronic systems, for more information please see below:

https://ico.org.uk/for-organisations/advice-for-small-organisations/whats-new/blogs/employee-monitoring-is-it-right-for-your-business/

National Fraud Initiative:

The Trust has a duty to protect the public funds it administers and as such participates in the National Fraud Initiative. This is an electronic data matching exercise conducted by the Cabinet Office, carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of employees.

6(1)(e)Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

For more information see the link below:
www.gov.uk/guidance/national-fraud-initiative-public-sector-data-requirements

Staff Occupational Health Data

Special category data gathered by the Trust in relation to employee health is processed for the reasons of preventative or occupational medicine and for assessment of working capacity.

9(2)(h) Necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

Flu vaccines and Covid-19 Response

NHS England and Improvement have asked for there to be further concerted effort to maximise flu vaccination uptake for frontline healthcare workers before the start of December 2020. The Joint Committee on Vaccination and Immunisation (JCVI) has provided guidance on priority groups for coronavirus (COVID-19) vaccination, including health and social care workers.

You may already have a flu vaccination record if you have received a flu vaccine from your GP practice or community pharmacist. However, the record of this vaccine did not previously indicate that you are employed in the health and care system. There was also no central record if you received your flu vaccine from another health or care organisation, for example, at your hospital trust.

This is changing. Going forward, information about flu vaccines received by NHS staff in any health setting will be collected by NHS England and Improvement. In addition, information from your Electronic Staff Record (ESR) will be collected so that it can be matched with any flu vaccination record, for example, if you received a vaccine from your GP or community pharmacist.

The following data will be collected by NHS England and Improvement from the Electronic Staff Record system to ensure a flu vaccination record can be identified as relating to a staff member:

•Name
•Postcode
•Date of Birth
•Gender
•Staff number
•Organisation code
•Department in organisation.


This data will only be used to match the ESR record with your vaccine record and to support the purposes of the vaccination programme. It will not be used for any other purpose. Data about your vaccinations will only be made available to the health and care organisation that you work for and your GP practice. It will not be accessible to any other health and care organisation.
A central system, known as the National Immunisation Management System (NIMS), has been put in place to support the management of the 2020/21 flu vaccination programme for all patients registered in England. The system will:

•identify people (for example, all those above of a certain age or certain health conditions) who will be eligible for flu vaccines
•call and recall of people for vaccines making sure that the clinical need matches the vaccine supply
•ensure the maximum participation of members of the public in the vaccination programme
•maintain a record of recipients of flu vaccines
•make sure that vaccines are delivered in a safe way, for example, the gap between receiving a flu and COVID-19 vaccine (once available) is safe.


The vaccination records included on NIMS are collected from GP practices, community pharmacies and NHS school age immunisation providers. A separate system known as the National Immunisation Vaccination System (NIVS) has been established to collect flu vaccine data at the point of vaccination. NIVS will also capture data from the Electronic Staff Record system and match it with data in a vaccination record on NIMS. Employees details will then be added to NIMS so that it is clear that the vaccination record relates to a member of staff. This means that the uptake of flu vaccines by staff can be monitored which is so important when the health and care system is under pressure because of the COVID-19 pandemic and staff absences due to flu could impact further on the health and care system.

Data from NIVS and NIMS will be combined to provide a dashboard that will be made available to the managers of local NHS organisations so that they can check the vaccination status of their own staff.

Under the provisions of the COPI notice, issued by the Secretary of State for Health and Social Care, employers are legally required (not just ‘requested’) to provide confidential patient information about staff to support the flu and COVID-19 vaccination programme.

The COPI notice specifically states that confidential patient information can be shared in order to support:

“understanding …. about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of COVID-19 and the availability and capacity of those services or that care”

and can be relied upon for a number of reasons including:
•It is critical that any potential flu epidemic is managed when the NHS is already dealing with the coronavirus pandemic.
•It is important to monitor take-up of the flu vaccine by staff and the potential impact on staff absences.
•Ensuring there is an appropriate interval between administering the flu and COVID-19 vaccinations.

This legal justification for sharing confidential patient information is based on the clinical information available to us at the time of publication and may be subject to change as our understanding of COVID-19 and the safe administration of new vaccines becomes available.

The lawful bases under GDPR for establishing this system and processes are:

•Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject (with regard to the COPI notice)
•Article 6(1)(e) (with regard to the Secretary of State for Health and Social Care's public health functions under the NHS Act 2006)
•Article 9(2)(h) (the processing is necessary for health or social care purposes); and
•Article 9(2)(i) (with regard to public health functions under Regulation 3(1) of the Health Service Control of Patient Information) Regulations 2002.

The types of personal/sensitive data we hold

In order to carry out our activities and obligations as an employer we handle data in relation to:

Personal demographics (including age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, sex, sexual orientation, religion or belief)
Contact details such as names, addresses, telephone numbers, emergency contact details and personal email addresses (where provided)
Employment records (including professional body registration/membership, references, proof of eligibility to work in the UK and security checks)
Bank details
Pension details
Medical information including physical health or mental condition (occupational health information)
Information relating to health and safety
Trade union / professional organisation membership
Offences (including alleged offences), criminal proceedings, outcomes and sentences
Employee relations files (grievance, disciplinary, performance, sickness absence/ill-health cases)Employment Tribunal applications, complaints, accidents, and incident details
Our staff are trained to handle your information correctly and protect your confidentiality and privacy.

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.

Purpose of processing data

*Staff administration, management (including payroll and performance) and engagement
*Payroll and pensions administration
*Business management and planning
*Accounting and auditing, including to HMRC
*Accounts and records
*Crime prevention and prosecution of offenders
*Education, learning and organisational development
*Health administration and services
*Information and local and national databases and data warehouse administration
*Sharing and matching of personal information for national fraud initiative

We have a legal basis to process this as part of your contract of employment (either permanent, temporary or other working arrangements) or as part of our recruitment processes (see scope above) following data protection and employment legislation.

Sharing your information

There are a number of reasons why we share information. This can be due to:

* Our obligations to comply with legislation
* Our duty to comply with any Court Orders which may be imposed

Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.

Use of Third Party Companies

To enable effective staff administration, Leicestershire Partnership NHS Trust will share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer.

Employee Records; Contracts Administration

The information which you provide during the course of your employment (including the recruitment process) will be shared with NHS Shared Business Services (SBS) for maintaining your employment records held on the national NHS Electronic Staff Record (ESR) system.

NHS Streamlining

Details may be transferred from this Trust to other NHS Trusts to support the safe, efficient and effective transfer of staff information when a member of the workforce transfers from one NHS Organisation to another NHS Organisation. The personal data that is shared includes: name, address, date of birth, national insurance number, completed training and registration details.

Prevention and Detection of Crime and Fraud

We are required to use the information we hold about you to detect and prevent crime or fraud. We are also required to share this information with other bodies that inspect and manage public funds.

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you, owing to a legal/statutory obligation.

The Trust is participating in the National Fraud Initiative (NFI) 2020 exercise. The NFI matches electronic data within and between public and private sector bodies for the purpose of assisting with the prevention and detection of fraud. Some of your personal data will be collected and used by the Cabinet Office to support this exercise. The data required from participants will be the minimum needed to undertake the matching exercise including name, gender, NI number, bank account and passport number. All data will be stored electronically by the Cabinet Office or by another organisation under contract with the Cabinet Office. It will be held on a secure encrypted, password protected computer system maintained in a secure environment. For processing to be lawful under the General Data Protection Regulation (EU) 2016/679 and Data Protection Act 2018, we need to identify a legal basis before this data can be processed.

All Trust staff (and supplier) data may be submitted to the National Fraud Initiative on a regular basis. The use of data is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. You can read further information about the national fraud initiative on the Gov UK website – https://www.gov.uk/government/publications/fair-processing-national-fraud-initiative/fair-processing-level-3-full-text

The identified legal basis for this activity is: GDPR Article 6 (1) (e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The Trust has a legal obligation under the ‘Right to Work’ – Home Office Regulations DPA 2018 Schedule 1 Part 2 Section 10 Preventing or detecting unlawful acts.

Government agencies

In order to comply with statutory requirements, we are required to supply information about you and/or your employment relationship with the Trust to central government agencies, departments or agents acting on their behalf (e.g. HMRC, Department of Health and Social Care, Home Office, DWP).

Payroll and pensions administration

The Trusts payroll provider is Lincolnshire Partnership NHS Trust. Only information to support the payroll function is provided to them. Information will be shared with Lincolnshire Partnership in pursuit of administering your pay and any associated pensions, under or overpayments

The Trust uses a system called EASY for the submission and management of expenses related to your contracted work and for which claims can be made. As part of this system Google Maps is launched to review and update distances, which is defined as ‘automated decision making’ through its linkage to your personal details held within the system, including home postcode. The Trust has a legitimate basis for using this automated decision making, in its obligation to support your rights under your contract of employment. There are systems in place to allow employees to amend any distances that are presented and also to challenge any decisions made about the claim and relevant expenses paid.

Your information rights under the UK GDPR/DPA 2018

*The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with, which we do through this privacy notice..
*The right of access – for details about how to access your personal data, please click here
*The right to rectification – this is your right to have your personal data rectified if it is inaccurate or incomplete. If you believe that the information recorded about you is incorrect, you will need to tell us so that we are able to contact the person who entered the information. We will correct factual mistakes and provide you with a copy of the corrected information.
*The right to erasure – this is also known as your ‘right to be forgotten’, where there is no compelling reason to continue processing your data in relation to the purpose for which it was originally collected or processed.
The Trust is required to retain your employment record in order to carry out activities and obligations as an employer and therefore cannot delete the record until it reaches the required Department of Health and Social Care retention period.

*The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue that requires us to restrict processing, we will investigate your concerns.
*The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process. At present we do not process any personal data that meets this requirement.
*The right to object – this is your right to object the processing of your data because of your particular situation. Because of our obligation as an employer it is extremely rare that we would stop processing your data whilst you are still employed by this Trust. If you believe you have compelling grounds for us to stop processing your data you should contact our Data Protection Officer.
*Rights in relation to automated decision making and profiling – the UK GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. Through the use of EASY for the submission and management of work claims and expenses, limited automated decision making is used through the launching of Google Maps to review and update distances. The Trust has a legitimate basis for this in its ability to support your employment rights through the contract of employment.

Retention of your data

We will retain your information in line with the Retention Schedule within the Records Management Code of Practice (2021).