Need to talk?
Staff and Volunteer Privacy Notice
Why do we collect personal information?
The Hospice collects information necessary to begin and maintain its relationships (contractual or voluntary agreement) with staff and volunteers, for example:
•Recruitment (applications forms, CVs, DBS, verifications documents)
•Support health and wellbeing in the work environment
•Smooth operation of insurance policies and pension plans
•To provide equal opportunities to all members of the organisation
Processing of employee personal information is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller (the Hospice) or the data subject (staff member) in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. The Hospice does not require explicit consent of employees to process their personal data if the purpose falls within the legal basis detailed above.
What we never do with staff and volunteer information
Give out personal information without the employee or volunteer’s permission, unless if it is in the interest in protecting their safety.
What types of information are collected
Your personal information about you will largely be collected directly from you during your recruitment and employment. Personal information may also be collected from healthcare professionals in certain circumstances, through national checks such as DBS etc.
In order to carry out our activities and obligations as an employer we handle data in relation to:
• Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
• Contact details such as names, addresses, telephone numbers and emergency contact(s)
• Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
• Bank details
• Pension details
• Occupational health information (medical information including physical health or mental condition)
• Information relating to health and safety
• Trade union membership
• Trust’s governors / membership
• Offences (including alleged offences), criminal proceedings, outcomes and sentences
• Employment Tribunal applications, complaints, accidents, and incident details
• Biometric data for specific areas to enable login to devices eg catering tills
Some of the above data can be classed as sensitive information data and we would process this data in accordance with GDPR law Article 9 (2) (b):
Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
How do we store and share information of people who work with us
The Hospice uses cloud-based service provided by CIPHR to store applicant, staff and volunteer information, this will include personal information. CIPHR, along with its data centres, is UK based and registered with the ICO. CIPHR is ISO27001:2013 accredited which means the data they store is secure and protected to an industry standard.
Role-based permissions are used to manage access to your data, so only appropriate Hospice staff can access your personal information.
How long do we hold your data for?
Information is retained in line with the NHS Records Management Code of Practice 2016 which you can read about on the NHS Digital Website https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016
Your personal information is held in both paper and electronic form on our internal system Compass which will be discussed with you in your induction.
We have a duty to:
• Keep records about you confidential and secure;
• Provide information in a format that is accessible to you
What are your rights?
Under the GDPR law you have the following rights in relation to your data we hold about you:
• The right to be informed about the processing of your personal information
• The right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
• The right to object to how your personal information is used
• The right to restrict the processing of your personal information
• The right to have your personal information erased (the ‘right to be forgotten’)
• The right to request access to your personal information and to obtain information about how we process it