Staff Privacy Notice

Privacy notice for current and former staff and job applicants

During the course of its employment activities, Lancashire Teaching Hospitals Foundation NHS Trust collects, stores and processes personal information about prospective, current and former staff.

This Privacy Notice includes applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience).

We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair, lawful and transparent processing can be met.

• Coronavirus/COVID19: Information and how we process your personal data

  What personal data is being collected and why?

  Personal data is being collected to enable the Trust to:

  • identify any staff (or those closely linked to staff/dependents) who are in any of the high-risk categories and would be considered vulnerable, if infected with coronavirus.
  • Identify the outcome of any staff testing for coronavirus
  • perform ID verification
  • process your test
  • return your results to you
  • share your results with governmental health bodies to inform local planning and responses to coronavirus
  • share results with Public Health England to help plan and respond to coronavirus
  • undertake quality assurance of the testing process, for example clinical process assurance
  • analyse to support operational decisions
  • To enable us to redeploy staff to lower risk work areas if required.
  • To report staff who have tested positive for Covid-19 to the Health & Safety Executive under the RIDDOR requirements. We must make a report under RIDDOR (The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013) when:
    • an unintended incident at work has led to someone’s possible or actual exposure to coronavirus
    • a worker has been diagnosed as having Covid-19 and there is reasonable evidence that it was caused by exposure at work
    • a worker dies as a result of occupational exposure to coronavirus

  We may collect the following information from you:

  • NHS Number
  • other household members’ first and last names (as they may also be invited to test if they show signs of coronavirus)
  • mobile phone number
  • email address

  The below information is also used in conjunction with the above. This information is already held by us in your HR file:

  • first and last name
  • date of birth
  • sex
  • address (including postcode)
  • National Insurance Number 

  Legal basis

  The legal basis for processing the data is that it is in the public interest for us to deal with the outbreak of Covid-19.

  The General Data Protection Regulation requires specific conditions to be met to ensure that the processing of personal data is lawful. These relevant conditions are below:

  • Article 6(1)(d) – is necessary in order to protect the vital interests of the data subject or another natural person.
  • Article 6(1)(e) – is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • The processing of special categories of personal data, which includes data concerning a person’s health, are prohibited unless specific further conditions can be met. These further relevant conditions are below:
  • • Article 9(2)(i) – is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
    • Schedule 1, Part 1(1) – is necessary for the performance or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, e.g. Health and Safety at Work Act 1974.
    • Schedule 1, Part 1(3) – is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law, e.g. Governmental guidance published by Public Health England

  Retention

  The Trust will retain this information in line with the NHS Records Management Code of Practice. As this will form part of you Occupational Health Record it will be retained for either 6 years from the date you leave the Trust or until your 75th birthday, whichever is sooner.

  Information provided by staff in relation to Covid-19 will not be used for any other purpose.

• What personal information we need to collect about you

  The Trust collects, stores and processes personal information about prospective, current and former staff to ensure compliance with legal or industry requirements.

  Personal information about you will largely be collected directly from you during your recruitment and employment. Personal information may also be collected from healthcare professionals in certain circumstances, through national checks such as the Disclosure and Barring Service (DBS) etc. In order to carry out our activities and obligations as an employer we handle data in relation to:

  • personal demographics (including gender, race, ethnicity, sexual orientation, religion, criminal matters)
  • contact details such as names, addresses, telephone numbers and emergency contact(s)
  • employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
  • bank details
  • pension details
  • occupational health information (medical information including physical or mental health conditions)
  • details of any absences (other than holidays) including statutory parental leave and sick leave
  • information relating to health and safety
  • trade union membership
  • Trust governors/membership
  • offences (including alleged offences), criminal proceedings, outcomes and sentences
  • employment tribunal applications
  • complaints
  • accidents
  • incident details

  This personal information can be held in a variety of formats, including paper records, electronically on computer systems, and in video and audio files.

• What is the purpose of processing your personal information

  This includes, but is not limited to:

  • Staff administration and management (including payroll and performance)
  • Pensions administration
  • Business management and planning
  • Accounting and Auditing
  • Accounts and records
  • Crime prevention and prosecution of offenders
  • Education
  • Health administration and services
  • Information and databank administration
  • Sharing and matching of personal information for national fraud initiative

  We have a legal basis to process this as part of your contract of employment, as part of our recruitment processes following data protection and employment legislation or compliance with any legal obligation with applies to us as your employer or potential employer.

• Sharing your personal information

  The Trust shares staff information with a range of organisations or individuals for a variety of lawful purposes, including:

  • Disclosure to data processors - e.g. to companies providing archive storage of personnel records under contract to the Trust
  • Public disclosure under Freedom of Information - e.g. requested names or contact details of senior managers or those in public-facing roles
  • Disclosure of job applicant details - e.g. to named referees for reference checks, to the Disclosure and Barring Service for criminal record checks, to named GPs for health checks, to housing agencies for staff relocation or accommodation
  • Disclosure to employment agencies - e.g. in respect of agency staff
  • Disclosure to banks and insurance companies - e.g. to confirm employment details in respect of loan/mortgage applications/guarantees, with individual consent
  • Disclosure to professional registration organisations - e.g. in respect of fitness to practice hearings;
  • Disclosure to occupational health professionals (subject to explicit consent)
  • Disclosure to police or fraud investigators - e.g. in respect of investigations into incidents, allegations or enquiries, or in response to a court order
  • Disclosure to occupational health for public health concern and prevention of infectious disease

  Confidential staff information is only shared with other organisations where there is a legal basis, when one of the following applies:

  • When there is a statutory duty to share staff data
  • When there is a statutory power to share staff data
  • When the employee has given their explicit consent to the sharing
• Legal basis

  The legal basis for processing your information is under GDPR, Article 6(1) b, that processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

  The collection of special categories of personal data is done under GDPR, Article 9(2)b, that data processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment.

• Electronic staff record

  As part of your employment with the Trust, your personal data will be uploaded to the Electronic Staff Record (ESR) and other HR systems, which will be used to store and process your personal data.

  ESR is a workforce solution for the NHS which is used by the Trust to effectively manage the workforce leading to improved efficiency and improved patient safety. In accepting employment with the Trust, you accept that the following personal data will be transferred under the streamlining programme if your employment transfers to another NHS organisation:

  • Personal information such as your name, date of birth and contact details
  • Recruitment information including qualifications, registrations with professional organisations, National Insurance (NI) Number, etc.
  • Payroll information
  • Assignment details (job role, department etc.)
  • Training records

  Streamlining is the process by which certain personal data is transferred from one NHS organisation to another when your employment transfers. NHS organisations have a legitimate interest in processing your data in this way in establishing the employment of a suitable workforce.

  The streamlining programme is a data sharing arrangement which is aimed at improving efficiencies within the NHS both to make costs savings for Trusts but also to save you time when your employment transfers

• Your duty to inform us of changes

  It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

• Your rights

  Data Protection law gives individuals rights in respect of the personal information that we hold about you. These are:

  1. To be informed why, where and how we use your information.
  2. To ask for access to your information.
  3. To ask for your information to be corrected if it is inaccurate or incomplete.
  4. To ask for your information to be deleted or removed where there is no need for us to continue processing it.
  5. To ask us to restrict the use of your information.
  6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
  7. To object to how your information is used.
  8. To challenge any decisions made without human intervention (automated decision making)

  You have the right to refuse (or withdraw) consent to information sharing at any time. However, this may not be possible if the sharing is a mandatory or legal requirement imposed on the trust. Any restrictions, and the possible consequences of withholding your consent, will be fully explained to you as the situation arises.

  Accessing your information held by Lancashire Teaching Hospitals NHS Foundation Trust

  You have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to the Trust.

  Staff members wanting to access their employment information should contact their Workforce Team representative. Requests are normally fulfilled within 30 calendar days of receiving the request in writing. There is no charge for this unless the request is deemed to be manifestly unfounded, excessive or repetitive. If we determine this to be the case we will notify you of this in writing.

  Freedom of Information Requests (FOI)

  The Freedom of Information Act (2000) gives every Individual the right to request information held by the Trust. Your request for information must be made in writing and you are entitled to a response within 20 working days.  For more details on submitting a Freedom of Information request please click here: https://www.lancsteachinghospitals.nhs.uk/freedom-of-information

  Complaints

  Although we work hard to offer high standards of service and care, things can sometimes go wrong.  Should this happen, we will do all that we can to put things right for you and to make sure that the same thing does not happen again.  If you would like to know more information on complaints or wish to make a complaint, please contact our PALS team. For staff members you can speak to a Freedom to Speak Up guardian

• Contact information and further advice

  If you have any questions about the personal information that we hold about you we suggest that you speak to your line manager or a member of the Workforce Team in the first instance. Providing certain conditions are met, you can often formally request to see the personal information that the Trust holds about you. This is called a “subject access request.” Further information regarding how you can make a data subject access request can be found in the Workforce Team Subject Access Protocol.

  If you have any concerns as to how your data is processed you can contact the Workforce Team on 01257 247000 or AskWorkforce@lthtr.nhs.uk or you can write to Workforce and OD Team, Education Centre 1, Royal Preston Hospital, Sharoe Green Lane, Fulwood, Preston PR2 9HT.

  Alternatively, for queries around data protection and how your personal data is processed you may contact the Trust’s Data Protection Officer:

  Data Protection Officer
  Lancashire Teaching Hospitals NHS Foundation Trust
  Sharoe Green Lane
  Fulwood
  Preston
  Lancashire
  PR2 9HT
  Telephone number 01772 716565
  Website: https://www.lancsteachinghospitals.nhs.uk/
  Email: DPO@lthtr.nhs.uk

  For independent advice about data protection, privacy and data-sharing issues you can contact the Information Commissioner:

  The Information Commissioner
  Wycliffe House
  Water Lane
  Wilmslow
  Cheshire
  SK9 5AF
  Telephone number 0845 306 060 or 01625 545 745
  Website: www.ico.org.uk

• Staff privacy notice for the formation of OneLSC

  Staff privacy notice for the formation of OneLSC

  Staff privacy notice for the formation of OneLSC