Privacy for staff

By issuing this privacy notice, we demonstrate our commitment to openness and accountability.

Why have we issued this privacy notice for our staff and volunteers?
By issuing this privacy notice, we demonstrate our commitment to openness and accountability.

We recognise the importance of protecting personal and confidential information in all that we do, and take care to meet our legal and other duties, including compliance with the following:

  • Data Protection Act 2018
  • Human Rights Act 1998
  • Access to Health Records Act 1990
  • Freedom of Information Act 2000
  • Health and Social Care Act 2012, 2015
  • Public Records Act 1958
  • Copyright Design and Patents Act 1988
  • Re-Use of Public Sector Information Regs 2004
  • Computer Misuse Act 1990
  • Common Law Duty of Confidentiality
  • NHS Care Records Guarantee for England
  • Social Care Records Guarantee for England
  • International information Security Standards
  • Information Security Code of Practice
  • Records Management Code of Practice for Health & Social Care 2016
  • Accessible Information Standards
  • General Data Protection Regulations 2018

How do we collect your information?

Your information could be collected in a number of different ways.

This could be directly from you – in person, over the telephone or on a form you have completed, such as a job application, contractual documentation or timesheet.

Details might also come from an external source such as NHS Jobs, your professional body, current or previous employers, the Disclosure and Barring Service, or government bodies like HM Revenue and Customs, the Department for Work and Pensions, or the UK Visas and Immigration.

What information do we collect?

The information that we collect about you may include details such as:

  • Name, address, telephone, email, date of birth and next of kin/emergency contacts
  • Recruitment and employment checks (i.e. professional membership, references, proof of identification and right to work in the UK, etc)
  • Bank account and salary/wages, as well as pension, tax and national insurance details
  • Trade union membership
  • Personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your employment
  • Medical information relevant to your employment, including physical health, vaccination, mental health and absence history
  • Information relating to your health and safety at work, and any incidents or accidents
  • Professional registration and qualifications, education and training history
  • Information relating to employee relations (i.e. disciplinary proceedings, grievances and complaints, tribunal claims, etc)
  • Depending on the position you hold with us, we may also collect information in relation to any current or previous criminal offences. Please refer to our Disclosure & Barring Service Procedure for more details, or contact our HR Department

Why do we collect your information and how is it used?

We will only process your personal data where the processing can be legally justified under UK law. Normally the lawful basis for processing your data will be “legal obligation”, "contractual purposes", or “legitimate interests”. These include circumstances where the processing is necessary for the performance of staffs’ contracts with us or for compliance with any legal obligations which applies to us as your employer. In any other circumstances we will seek your consent before processing your data.

This includes, but is not limited to:

  • Staff administration (inc. payroll and pensions)
  • Education, training and development
  • Information and database administration
  • Business management and planning
  • Accounting and auditing
  • Criminal prosecution and prevention
  • Health administration and services
  • National fraud initiatives
  • Quality monitoring (such as staff surveys)
  • Used for modelling the future provision of health and social care services within Cornwall.

By signing your contract with the Trust, you acknowledge that you understand and are aware that the Trust will be holding and processing any information about you which you provide to us, or which we may acquire as a result of employment.

How do we keep your information safe and maintain confidentiality?

Under the Data Protection Act 2018, strict principles govern our use of information and our duty to ensure it is kept safe and secure.

Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards.

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.

Under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

Every NHS organisation has  senior people responsible for the overall protection, security and confidentiality of information. Within our Trust the details are as follows:

  • Senior Information Risk Owner (SIRO) – Phill Mantay, Deputy Chief Executive Officer and Director of Finance and Strategy
  • Caldicott Guardian – Chris Burford, Director of Nursing and Professions
  • Data Protection Officer – Sam Bentley, Information Governance Officer

If you have any queries or concerns you can contact the Safer Information team.

Do we share your information with anyone else?

To support you in your employment and to enable us to meet our legal responsibilities as an employer, sometimes we will need to share your information with others. Some of the reasons for this are included under ‘Why do we collect your information and how it is used?’

Unless there is a valid reason required or permitted by law, or there are exceptional circumstances (such as a likely risk to the safety of you or others), we will not disclose any information to third parties which can be used to identify you without your consent.

We outsource a limited number of administration and IT support services to external organisations, including payroll and occupational health. These companies are based within the European Economic Area and all services are provided under specific contractual terms, which are compliant with UK data protection legislation.

Sometimes we are required by law to disclose or report certain information, which may include details which identify you. For example, sending statutory information to government organisations such as HM Revenue and Customs, or releasing information to the police or counter fraud. Where mandatory disclosure is necessary only the minimum amount of information is released.

The Trust is subject to the Freedom of Information Act 2000 which requires information about the Trust to be published and to be provided on request. This may include some personally identifiable information.  This will usually be restricted to your name, role and work contact details.  The Trust will refuse requests for personal identifiable details beyond those stated above wherever possible, within the exemption provided by the Act and the Data Protection Act 2018 but this may not always be possible.  You will be kept informed of any such situation arising.

There may also be occasions when the trust is reviewed by an independent auditor, which could involve reviewing randomly selected staff information to ensure we are legally compliant.

For occasions where consent is the lawful basis for processing you have the right to refuse (or withdraw) consent to information sharing at any time. However, this may not be possible if the sharing is a mandatory or legal requirement imposed on the trust. Any restrictions, and the possible consequences of withholding your consent, will be fully explained to you as the situation arises.

Only organisations with a legitimate requirement will have access to your information and only under strict controls and rules.

How can you get access to the information that we hold about you?

Under the terms of the Data Protection Act 2018 and the General Data Protection Regulations 2018, you have the right to request access to the information that we hold about you. The Trust has established processes for dealing with such requests and if you wish to access your information you should contact the Safer Information team who will facilitate and support you through the process.

You can also request further information or an application form, by one of the following means:

Safer Information Team
Prentice House
Langdon Hospital
Exeter Road

Tel: 01392 675678

How can you contact us with queries or concerns about this privacy notice?

If you have any queries or concerns regarding the information that we hold about you or you have a question regarding this privacy notice, please contact our Safer Information Team

How long do we retain your records?

All our records are retained in accordance with the IGA Records Management Code of Practice for Health and Social Care 2016, which sets out the appropriate length of time each type of NHS record is retained. We do not keep your records for longer than necessary.

All records are appropriately reviewed once their retention period has been met, and the Trust will decide whether the record still requires retention or should be confidentially destroyed. All decisions and destructions will be documented.

How can you make a complaint?

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. Depending on the nature of your complaint, we would recommend contacting your line manager in the first instance.

Alternatively, you can contact our Safer Information team who will help you to identify the most appropriate procedure to follow based on the specifics of your complaint.

If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:

Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113

Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.