RECRUITMENT/STAFF PRIVACY NOTICE
This privacy notice is for staff and prospective staff of the Practice. If you are a patient, carer or relative, you should see our patient privacy notice.
At Essex Lodge Surgery, we take data privacy very seriously and we are committed to protecting and respecting the rights of all individuals. We are dedicated to ensuring the confidentiality and privacy of information entrusted to us and aspire to be transparent when we collect and use personal data.
We are committed to collecting, storing and processing personal information in line with UK Data Protection Law and the General Data Protection Regulation (GDPR). For the purposes of this privacy notice, the term ‘staff’ includes:
- workers, including agency, casual and contracted staff
- work experience placements
We reserve the right to update this privacy notice at any time, and we will notify you with a new privacy notice if we make any substantial updates. From time to time, we may also let you know about the processing of your personal information in other ways.
This privacy notice relates to NHS Jobs staff recruitment. Essex Lodge Surgery is the data controller and is registered with the Information Commissioner’s Office (ICO), with registration number Z7157863. The surgery has been registered with the ICO since 3rd December 2002.
You may contact [email protected] for any account administration requests, e.g. if you need to make an enquiry, make a request for your personal information held as part of this candidate account, or to arrange for any mistakes to be corrected.
If you have questions or comments about this Privacy Notice or how we handle personal data, please direct your correspondence either to the below postal address (marking the envelope FAO – Shima Haque, Practice Manager, Essex Lodge Surgery, 94 Greengate Street, London, E13 0AS), or email at [email protected].
What we do
Essex Lodge Surgery uses NHS Jobs online platform for recruitment purpose, e.g. for advertising roles, setting up interviews, sending offer letters and supporting with the completion of some employment checks.
Information that we collect
This is information that identifies you, like your name or contact details. It is important that the personal information we hold about you is accurate and up to date. Please let us know if your personal information changes during your working relationship with us.
If any changes are required, please let us know by contacting your line manager in the first instance or emailing the Practice Manager.
Special category personal information
Some of the information we collect is special category data, or sensitive data, which can include:
- Your race or ethnicity
- Religious beliefs
- Trade union membership
- Health, including physical and mental health
- Sexual orientation and gender
- Criminal convictions
Extra safeguards are applied to special category information, and we must be able to demonstrate a legitimate reason to hold and use it.
Coronavirus (COVID-19) self-isolation
In addition to information relating to your health, the Practice may also collect and process information relating to coronavirus (COVID-19) self-isolation status, to help with workforce planning and ensure continuity of services.
The lawful basis will be GDPR Article 6(1) (e), that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (the provision of statutory health care services).
The exemptions in GDPR Article 9(1) (g) and 9(2) (h) will be applied, that processing is necessary for matters of substantial public interest or for the management of health care systems. The conditions in paragraphs 2 (management of health care systems) and 3 (public health) are engaged.
Laws on information processing
The Practice will only process your personal information where we are able to do so by law, under the legal basis available through the Data Protection Act 2018 and General Data Protection Regulation 2016 (GDPR).
The legal bases we use most often to collect information are:
- entering into and managing our employment contract
- legal obligations where processing is necessary for compliance, for example, informing HMRC of your tax and National Insurance contributions
- when considering employees’ rights as potential members of the Practice
- where the Practice may rely on its legitimate interests, where a formal assessment has been made and recorded
- Where we process sensitive personal or special categories of data about you, we will ensure this is done only where one of the following conditions applies:
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller, or the data subject, in the field of employment and social security and social protection law
- processing is necessary for the purposes of preventive or occupational health, assessment of the working capacity of the employee, or the provision of health or social care
- If you require further information about the legal basis for any specific aspect of processing please email Shima Haque, Practice Manager.
When we collect information about you
If you apply for a job
When you apply for a position with the Practice, you will give us relevant information about you which includes:
- personal contact details
- details of your skills, qualifications, employment history, experience, and professional membership (if relevant), and training history
- referee details
This information is required in order for us to contact you in relations to Jobs applications any changes made here will be applied to all of your applications so Essex Lodge Surgery recruitment team can contact you.
The NHS Jobs application tool to help you streamline the application process. If you choose to enter some of these details you can use the data to start an application. All details entered here are entirely optional, you are not required to enter any of this information to start an application, or create an account.
You can download or clear all data within application anytime using the NHS Jobs employee website. You are able to amend these details at any time by logging into your account.
If you are invited to interview
During recruitment and selection, we will collect additional information like:
- correspondence, interview notes, and results of any tests you’re asked to complete as part of the selection process
- copies of qualifications and certificates
- pre-employment checks, including referees
- your nationality and immigration status, to confirm your eligibility to work in the UK
- your national insurance number, tax and bank details
- details of your pension
- remuneration, including salary and entitlement to benefits
- trade union membership
- criminal record
- ethnicity, gender, health, religion or sexual orientation
- medical history relevant to your employment, including physical health, mental health and absence history
- publicly available information, like your social media presence
If you become an employee
- If you are employed by us, we may collect additional information like:
- your image, for security and ID badges
- education and training history
- appraisal and performance reviews
- security and audit data when you use NHS smart cards
- your performance, sickness absence and other work related matters
- CCTV recordings when you’re on Practice premises
- personal data recorded as a normal part of your work activity
- data relating to employee relations, like disciplinary proceedings or complaints
Disclosure and Barring Service (DBS) checks
If your application is successful, we may need to contact you in order for you to complete a basic standard or enhanced DBS check, if the role requires it. We do this under our obligation as a Registered Body for the Disclosure and Barring Service, in which we ‘countersign’ applications before they are submitted.
When performing our countersignature service, we will collect the following information:
- Your answers to the questions on the DBS disclosure form.
- The electronic form application reference and disclosure number.
- The status of the application at the DBS and timestamps for when we were notified of that status.
- Whether or not the employer should expect you to bring them a disclosure for checking.
We do not receive the completed certificate. This will be sent to you directly by the DBS. We do not store this information for longer than six months
Our lawful basis for processing your data for these purposes is our legitimate interest.
Why we collect your information
We will use your information to administer your employment and associated functions. Your information may be shared between relevant colleagues who need the information to carry out their duties, like your line manager, Practice Manager or Partners.
We use staff data to meet our legal obligations as an employer, which include:
- recruitment and selection
- compliance with visa requirements
- maintaining staff records, including payroll, benefits, corporate travel and other reimbursable expenses, development and training, absence monitoring, performance appraisal, conduct, management progress, disciplinary and grievance process and complaints, pensions administration, and other general admin and human resource related processes
- monitoring equal opportunities
- payment of trade union membership fees
- providing facilities, like IT systems access, library services and car parking
- preventing and detecting crime, like using CCTV and photo ID badges
- communicating about the Practice, including news and events
- maintaining patient health records, in line with the Practice’s clinical records keeping standards
- managing safe environments and fitness to work
- managing human resources process, like sick pay, managing absence, parental leave, and workforce planning
- occupational health and wellbeing services
- service quality monitoring
- maintaining contact with former employees
We maintain electronic and paper records that relate to your recruitment and employment. This information is held by the Practice Manager and locally, with your line manager. All paper files are securely stored and only relevant staff will be able to access this information.
Electronic information is accessed on a need to know basis, using the Practice’s secure electronic drives, where access is only granted to appropriate individuals.
Data sharing with third parties
We may disclose personal and sensitive information to a variety of recipients when:
- there’s a legal obligation to share
- it’s necessary for the performance of your employment contract
- you have consented to the sharing
Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances, and with the appropriate security controls in place. Information is only disclosed to those agencies and bodies who have a need to know, when there is a lawful basis to do so.
Your Practice contact details may be shared where there is a legitimate reason to do so and this is appropriate to your role and responsibilities, and recipients may include:
- our employees, agents and contractors where there is a valid reason for them receiving the information
- professional and regulatory bodies in relation to the confirmation of conduct, including complaints, job description and information provided as part of the recruitment process
- government departments and agencies where we have a statutory obligation to provide information, like HMRC and the Department of Health
- third parties who work with us to provide staff support services, like counselling
- crime prevention or detection agencies, like the police and security organisations
- the Parliamentary and Health Service Ombudsman
- internal and external auditors
- courts and tribunals
- trade union and staff associations
- relatives or guardians of an employee
- NHS Business Services Authority
Other NHS organisations
To streamline staff movement, we may share your information if you accept an offer with another NHS organisation, or your employment transfers or is seconded to another NHS organisation.
The following information may be shared if there is a legitimate business interests of the two organisations to do so:
- personal data to verify who you are, like your name, date of birth, address, NI Number
- employment Information to allow for correct pay and annual leave and sickness entitlements, like your position, salary, and dates of any sickness
- training compliance and competency dates, to reduce the need to repeat nationally recognised training and statutory and mandatory training
This information will be shared securely.
How long do we store your information?
You can delete your candidate account at any time via NHS Jobs website. We will remove your application data within 6 months of your application, unless there are applications associated with this.
We retain application forms submitted through our service for 6 months, or 3 months after your proposed or actual start date, whichever is the greater.
Your right of access – You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing – You have the right to object to processing if we are using legitimate interests as our lawful basis for processing.
Your right to data portability – This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or as part of a contract, or in talks about entering into a contract and the processing is automated.
Your right to withdraw consent – You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain services to you and we will advise you if this is the case.
Rights related requests
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it.
No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
How to access your personal data
If you require copies of personal information held by the Practice, speak to your Practice Manager.
The Practice may refuse your request in full or in part, where there is a legal basis to refuse and you will be informed of this.
How to complain
If you disagree with how we are processing your data, please contact Shima Haque, Practice Manager, Essex Lodge Surgery, 94 Greengate Street, London, E13 0AS or email at [email protected].
If we can’t resolve your concern, you have the right to lodge a complaint with the Information Commissioner’s Office. The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
This privacy notice is reviewed by Abul Hasnath, Business Manager, Essex Lodge Surgery and updated on 13th June 2022.