Phone human-readable description of the message we trying to accomplish. Search human-readable description of the message we trying to accomplish. Map pin human-readable description of the message we trying to accomplish.

Need advice?

Call our 24h help line
01284 766133
We’re here to help

Call our 24/7 advice line for health care professionals and families if you need support with symptom management and end of life care.

Staff and Volunteer Privacy Notice

Sharing Information for Covid-19 Vaccination of Health and Care Staff

Part of the national response to the Covid-19 pandemic is recording the details of who has been vaccinated against Covid-19 and when.

Normally, vaccinations are undertaken in GP settings. However, with Covid-19, this will be undertaken in a variety of care settings and for the majority of health and care staff will be managed by “lead providers” on behalf of local health and care organisations.

It remains the choice of the individual whether to have the vaccine, but we need to be able to share staff details with the lead providers to ensure all staff are given the chance to receive their vaccination as part of the early cohort and we must record the details of the vaccination and share that to your GP, so your health records are kept up to date.

Under GDPR, the lawful basis for processing this data is found at Articles:

6(1)(c) Processing is necessary for compliance with a legal obligation to which the controller is subject,

6(1)(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,

9(2)(h) Processing is necessary for the purposes of the provision of health or social care or treatment.

In addition, with the Coivd-19 vaccination, we have an obligation to let your employer know that you have been vaccinated to support their obligation to safety in the workplace. The lawful basis for this processing is found at Articles:

6(1)(c) Processing is necessary for compliance with a legal obligation to which the controller is subject,

6(1)(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,

9(2)(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment

9(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health

Across the East of England a variety of lead providers and existing local/national systems for booking/recording and sharing of the necessary information will be used to enable the ability to rapidly roll-out this vaccination programme to staff.

If you have any questions about the use of your data for these purposes please contact Sara Taylor, data protection officer on 01284 712781

Why do we collect personal information?

The Hospice collects information necessary to begin and maintain its relationships (contractual or voluntary agreement) with staff and volunteers, for example:
•Recruitment (applications forms, CVs, DBS, verifications documents)
•Support health and wellbeing in the work environment
•Smooth operation of insurance policies and pension plans
•To provide equal opportunities to all members of the organisation

Processing of employee personal information is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller (the Hospice) or the data subject (staff member) in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. The Hospice does not require explicit consent of employees to process their personal data if the purpose falls within the legal basis detailed above.

What we never do with staff and volunteer information

Give out personal information without the employee or volunteer’s permission, unless if it is in the interest in protecting their safety.

What types of information are collected

Your personal information about you will largely be collected directly from you during your recruitment and employment. Personal information may also be collected from healthcare professionals in certain circumstances, through national checks such as DBS etc.

In order to carry out our activities and obligations as an employer we handle data in relation to:
• Personal demographics (including gender, race, ethnicity, sexual orientation, religion)

• Contact details such as names, addresses, telephone numbers and emergency contact(s)

• Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)

• Bank details

• Pension details

• Occupational health information (medical information including physical health or mental condition)

• Information relating to health and safety

• Trade union membership

• Trust’s governors / membership

• Offences (including alleged offences), criminal proceedings, outcomes and sentences

• Employment Tribunal applications, complaints, accidents, and incident details

• Biometric data for specific areas to enable login to devices eg catering tills

Some of the above data can be classed as sensitive information data and we would process this data in accordance with GDPR law Article 9 (2) (b):

Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

How do we store and share information of people who work with us

The Hospice uses cloud-based service provided by CIPHR to store applicant, staff and volunteer information, this will include personal information. CIPHR, along with its data centres, is UK based and registered with the ICO. CIPHR is ISO27001:2013 accredited which means the data they store is secure and protected to an industry standard.
Role-based permissions are used to manage access to your data, so only appropriate Hospice staff can access your personal information.

How long do we hold your data for?

Information is retained in line with the NHS Records Management Code of Practice 2016 which you can read about on the NHS Digital Website https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016

Your personal information is held in both paper and electronic form on our internal system Compass which will be discussed with you in your induction.

We have a duty to:

• Keep records about you confidential and secure;

• Provide information in a format that is accessible to you

What are your rights?

Under the GDPR law you have the following rights in relation to your data we hold about you:

• The right to be informed about the processing of your personal information

• The right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed

• The right to object to how your personal information is used

• The right to restrict the processing of your personal information

• The right to have your personal information erased (the ‘right to be forgotten’)

•  The right to request access to your personal information and to obtain information about how we process it