Staff and Membership Privacy Notice
Birmingham Community Healthcare NHS Foundation Trust, (BCHC) is a Data Controller and is registered with the Information Commissioner’s Office, (Z243363X). As a data controller, BCHC is committed to collecting, storing and processing personal information in line with UK Data Protection Law[1] and the General Data Protection Regulation (GDPR)[2].
BCHC reserves the right to update this privacy notice at any time, and will publish a new privacy notice if there are any substantial updates. From time to time, BCHC may also let you know about the processing of your personal information in other ways. It is your responsibility to keep informed and refer back to the privacy notice from time to time.
1. How Birmingham Community Healthcare NHS Foundation Trust (BCHC) use your information:
1.1. We will collect and process personal data, this is information that identifies you, and where you are the focus. The personal data is processed about employees and members, for legal, regulatory, personnel, administrative, contractual and legal compliance and governance and management purposes and to enable us to meet our legal and contractual obligations as an employer, for example to pay you, monitor your performance and to administer benefits in connection with your employment. "Employees" also includes contractors and Non-Executive Directors. “Members” refers to public, staff and partner members of the Foundation Trust and includes those elected and appointed to the Trust Council of Governors.
1.2. We may process Special Category data relating to employees including, as appropriate:
- race or ethnicity
- religious beliefs
- trade union membership
- health and wellbeing, including physical and mental health
- sexual orientation and gender
- criminal convictions
- disabilities
1.3. Personal and Special Category Information is important to enable BCHC to support you as an employee, it will aid in the management of your contract with BCHC, for example:
- about your physical or mental health in order to support employees accordingly;
- about your protected characteristics (Equality Act 2010) or similar information in order to monitor in accordance with equal opportunities legislation;
- about your Driver and Vehicle Licensing Agency(DVLA) data, offences, V5, driving licence number, points or driving exemptions/certificates;
- information relating to the commission or the alleged commission of an offence, or proceedings or sentence relating to offences or alleged offences;
- Information about your vaccination status (see section 13 below).
More detailed information about the data We process and the purposes we use it for are set out in paragraphs 2 and 3 below.
1.4. There are legal, regulatory and contractual reasons for obtaining and processing personal and special category data. Under UK Data Protection Law you have rights and in some circumstances you have a choice not to supply/share types of data, (e.g. protected characteristics data). However, in other circumstances by not supplying data where it is required, (e.g. vaccination status) it will mean BCHC are in breach of the law and therefore it could lead to a breach of employment contract conditions. Please speak to HR where you have concerns.
2. What data do we collect and process?
The data we collect identifies you, it is important that the data we hold about you is accurate and up to date. Please let us know if your personal information changes during your working relationship with us. If any changes are required please let us know by contacting your line manager in the first instance or emailing the HR Department. We collect and process:
- Names, titles, and preferred names. Contact details such as telephone numbers, home addresses, and email addresses;
- Demographic, socio-economic, gender, age, date of birth, marital status, nationality, ethnicity, postcode, eligibility to work in the UK and disclosure and barring services (DBS) criminal record check;
- Education, academic / professional qualifications;
- Employment references, skills, former employment history;
- Time recording, working hours, attendance, annual leave, sickness, parental, adoption and compassionate leave;
- Remuneration data and information, including benefits such as pensions, tax calculations, student loan deductions, expenses, disturbance, other deduction, records of current and historic earnings and tax code;
- Financial identifiers such as bank account details and national insurance number;
- DVLA, Care insurance and licence information for expenses and insurance purposes;
- Application forms for which you have requested, We provide details or reference e.g. mortgage, bank account, credit card, tenancy reference, visa.
- IDs such as mobile device, tablet or computer IP/GUID identifiers for the purpose of delivery BCHC App’s for Staff communications, E-Expenses and Finance E-Invoicing;
- Management of the employee electronic record system (ESR) and interaction with suppliers of ESR delivering services on behalf of BCHC;
- Other operational data created, obtained, or otherwise processed in the course of carrying out our business activities and your employment/engagement with BCHC, including but not limited to, media access control, IP addresses and website visit histories (including personal devices, if connected to BCHC network), logs of visitors, and logs of accidents, injuries and insurance claims; and
- Other Human Resources data (not covered above) relating to employees including emergency contact information; referral source (e.g. agency, employee referral); performance reviews and ratings and employment references; staff employment groupings.
We also collect and process your Special Category data:
- Equality and Diversity Data, Personal characteristics data;
- Data of a sensitive nature such as racial or ethnic origin, mental and physical health, details of injuries, medication/treatment received;
- Employee vetting and background checks, including identity, financial, criminal records checks and details of any offences or alleged offences and any criminal proceedings (either actual or contemplated); and
- Right to work such as a copy of your passport or other ID.
3. For what purposes do we collect and use this data?
3.1. Process data for the administering your employment relationship with us; and for:
- Communicating and informing our work force on how we operate;
- Service, products, benefits and operational business and employee information;
- Administering compensation, payroll and benefits;
- Operating and keep a record of employee performance and related processes for workforce management purposes;
- Operating and keep a record of absence, for example to allow effective workforce management and to ensure that employees are receiving the pay or benefits to which they are entitled to;
- Obtaining occupational health advice, to ensure that we meet our obligations under health and safety law;
- Meeting insurance and legal obligations relating to expenses, vehicle insurance and health and safety;
- Complying with legal requirements, including our contractual obligations to our Employees and suppliers and our regulatory and corporate governance obligations including, for example, seeking criminal records checks from the Disclosure and Barring Service (DBS) prior to making any offer;
- Selecting employees to participate in specific projects, development and administrative projects, assigning work to Employees;
- Undertaking surveys of all staff or as a cohort of the workforce to assess levels of compliance with equality and discrimination legislation and ensuring that our workforce at all levels remains representative of the communities it serves;
- Establishing, exercising, enforcing or defending legal claims, conducting internal investigations of suspected breaches of organisational policies and monitoring Employees' use of corporate e-mail, communications, systems and Internet services;
- Complying with legal requirements to undertake Staff and Public Governor Elections to the Trust Council of Governors;
- Enabling the Trust to communicate with the Members of the Foundation Trust and ensure a representative membership.
4. On what basis are we entitled to process your information?
4.1 BCHC will only process your data where we are able to do so by law, under the legal bases available through the UK Data Protection Law and GDPR. The legal bases we use most often to collect information are:
- Performance of a contract which you are a party to or will be a party to – applies where we are required to process data in order to facilitate employment contract or any form of Agreement or Terms entered into with employees;
- Legal obligation which we, as a Data Controller are subject to, where We need to process your data in order to comply with a legal obligation (or a court order as required) – for example (the following is a non-exhaustive list) under the:
- Employment Rights Act 1996;
- Health Safety Act Work Act 1974;
- Equality Act 2010;
- Disability Discrimination Act 1995; and any subsequent or secondary legislation related thereto;
- any financial requirements imposed on us by HMRC under relevant law;
- any public health requirements imposed upon us by the Health Service (Control of Patient Information) Regulations 2002 (COPI); the Coronavirus Act 2020, and other public health measures.
For use of "special category information" (e.g. information regarding your health) the Trust is reliant upon Public Interest in the area of public health etc. under Regulation 3(1) of the COPI. Under a COPI notice dated 27 August 2021 (expires 31 March 2022) We are required to process data for Covid-19 purposes including delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID, including the provision of information, fit notes and the provision of healthcare and adult social care services.
- Performance of a task carried out in the public interest or in the exercise of official authority vested in BCHC as a data controller;
- Preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
- Data Protection Act 2018 – Schedule 1 Part 1, condition 1 - employment. Where the Trust is processing the data to support the delivery of safe care within the workplace, the Trust relies on, performance of a public function by a public authority acting in the public interest and for reasons of public interest in the area of public health.
- Data Protection Act 2018 – Schedule 1, Part 1, condition 2 (f) - health or social care purposes and condition 3 -public health. Where the Trust is sharing this data as part of its relationship with its occupational health provider to support staff’s health and wellbeing the Trust relies on performance of a contractual relationship with its employee and processing is required in relation to the employee’s contractof employment with the Trust.
- Data Protection Act 2018 – Schedule 1, Part 1, condition 3 - public health. The Trust also relies on UK GDPR Article 6(1) c to process health data in relation to any employee who is required to attend a care home for any reason.[3]
- As a public body carrying out a public function in the public interest or in the exercise of official authority. Where the processing is not directly covered by an explicit legal obligation, in certain circumstances We are able to process your data to carry out our public function, for example, where We are required to process your data as a Member of the Foundation Trust, We will do so pursuant to our function as a public body governed by our Members.
- We may rely on our legitimate interests, where a formal assessment has been made and recorded.
- Where we need consent from the employee, (e.g. referral to occupational health, obtaining a medical report etc.) records of consent will be obtained and recorded.
5. How long we will keep this information
We will hold your data for the duration of your employment and for up to 6 years following the end of employment for regulatory purposes and to defend or pursue any legal claims and for our legitimate business. We will hold the personal data of members for the duration of your membership. Your membership record is deleted upon termination of your membership. We will hold your special category data for up to 8 years before we dispose of it (see paragraph 10.8).
6. Our approach to information security
6.1. To protect your information we have policies, protocols and procedures in place to make sure that only authorised personnel can access the information, that information is handled and stored in a secure and sensible manner and all systems that can access the information have the necessary security measures in place.
To accomplish this, our employees, contractors and sub-contractors have roles and responsibilities defined in those policies and procedures. In addition to these operational measures also use a range of technologies and security systems to reinforce the policies. The relevant policies can be found on the BCHC intranet.
To make sure that these measures are suitable we perform audits to identify the areas of weaknesses and non-compliance. Additionally, all areas of the organisation are constantly monitored and measured to identify problems and issues before they arise.
7. Your rights
7.1. Under the Data Protection Act and General Data Protection Regulation you as an individual have a set of rights. When exercising any of the rights listed below, in order to process your request we may need to verify your identity for your security. In such cases your response will be necessary before you can exercise these rights. We will validate your request and respond in line with legal time scales:
- Right to be informed how we will obtain, use, share, secure and retain your data. This is fulfilled by this and other related privacy notices.
- Right to access your data, (commonly known as a subject access request) and we have a calendar month from the date the request is deemed valid to supply the data you are entitled to. We will supply information of the source of the data, purpose and processing operations and likely recipients. This will be in the form of supplying you with a copy of this privacy notice. Important information:
- BCHC can extend the initial calendar month time scale if your request is complex or you make more than one request, the response time may be a maximum of an additional two calendar months, starting from the day of a valid request. [4]
- We are only allowed to apply fees / charges to cover administration costs if the request is deemed manifestly unfounded or excessive.[5]
- Right to correct or update inaccurate data means you can challenge the accuracy of the data held about you, and ask for it to be corrected or deleted. This is known as the ‘right to rectification’.[6]
- Right to erasure or right to be forgotten means you are able to ask for your data to be deleted. In some circumstances we may not be able to delete data due to a legal, regulatory and/or contractual reason. We will respond and inform you if this applies.
Important information to consider and act upon:
- If the data we hold on you is out of date, incomplete or incorrect, you have to inform us and your data be will be updated; or
- Alternatively, if your data is related to your employment you can access the Electronic Staff Register (ESR) and amend directly at https://my.esr.nhs.uk/.
- Right to object to processing also means to request BCHC to limit the waywe use your data, if you are concerned about the processing operations or accuracy of the data. This is known as ‘right to restriction’. Upon receiving the request we will inform you if this request is possible and if not what legal, regulatory, contractual or what data protection exemption applies which means we cannot comply with your request in full or in part. Even after you exercise this right we may continue to hold and process your data, however, we shall keep on record your request and our decision.
- Right to data portability means you can request data to be moved from one controller to another in a way that is accessible and machine-readable, for example as a csv file. We will consider this request if it is technically feasible. However, if we have a legal, regulatory, contractual or where a data protection exemption applies which does not allow this right to be fulfilled we will contact you and inform you of our decision.
- Right to understand ‘automated decision-making’ means when decisions or profiling processes take place which result in decisions being made about you without people being involved, in many circumstances, you have a right to prevent automated processing, understand the reasons behind decisions made about you and possible consequences and to object to the processing. There are two types and you should understand the difference, however We can consider the request and if We have a legal, regulatory, contractual or where a data protection exemption applies which does not allow this right to be fulfilled We will contact you and inform you of our decision:
- Profiling is data used to analyse or predict performance at work, economic situation or health or personal preferences;
- Automated decision making is data used to make decisions with no human intervention, (e.g. recruitment aptitude test using pre-programmed algorithms and criteria).
You have the right to be confident that we handle your personal information responsibly and in line with good practice. Therefore you have a right to raise a concern with us and/or the data protection regulator (ICO). Details below inform you how do to this.
8. Consent
8.1. Where we need your consent to hold and process your data We will ask you to confirm your consent in writing and We will inform you why We are collecting the information, how We will use it, how long We keep it for, who else will have access to it and what your rights are as a data subject. We do not rely on consent for processing your personal data in the normal course of your employment and membership. The legal bases on which we are able to process your data are set out at paragraph 4 above.
9. Sharing your information
- Where necessary to fulfil our obligations to you and our wider legal obligations and where it is in the public interest to do so we may pass your details to third parties. These third parties include HMRC, organisations undertaking Pre-Employment background checks (e.g. Disclosure and Barring Service), payroll providers and Benefit Providers, NHS Counter Fraud and organisations providing services for the annual staff survey, membership communications and governor election services.
- We may share your Covid-19 vaccination status with authorised third parties via the National Immunisation and Immunisation System (NIVS) database or other similar online repositories of vaccination status information for the purpose of public healthcare management.
- The Trust will not share your data to Third Countries outside the European Economic Area.
10. Vaccination and Testing
10.1 If you have been invited or are required to undertake any of the following:
- the coronavirus diagnostic test (either the Lateral Flow Device (LFD) test or the Polymerase Chain Reaction (PCR) test,
- the coronavirus antibody test,
- the influenza (flu) vaccination,
- the Coronavirus vaccination
then the following will apply to you.
Vaccination and Testing processes
The LFD / PCR tests will confirm whether you currently have / have had coronavirus. The flu vaccination and Coronavirus vaccination will enable you to protect yourself against seasonal flu and the Coronavirus. This is so that you can:
- take the right steps to take to look after yourself
- protect others
- know if you are fit and Well to return to your critical role
- potentially reduce the amount of time you have to self-isolate for.
10.2 We will provide and administer all tests. We use a laboratory at University Hospitals Birmingham (UHB) to analyse and process the test data where required.
10.3 We will also provide you with the flu vaccination and Coronavirus vaccination. We will be the Data Controller for any information collected about you for the purpose of the test and vaccinations, as Well as test results. Based on this the data We collect for these purposes is
10.4 Based on 10.3 above if you take any of the tests listed above, We will collect the following data from you:
- first and last name
- date of birth
- gender
- home postcode
- staff number
- Division / Directorate
- mobile phone number
If you receive a vaccination, we will collect the following information from you:
- first and last name
- date of birth
- job title
- payroll number
- relevant health information (e.g. any allergies)
- NHS number
- Ethnicity
Why is this data collected?
- performing ID verification
- processing your test
- returning your results to you
- sharing your results with governmental health bodies (see below) to inform local planning and responses to flu and coronavirus
- sharing results with UK Health Security Agency (UKHSA) to help plan and respond to flu and coronavirus
- undertaking quality assurance of the testing process, for example clinical process assurance
- data analysis to support operational decisions and data quality assurance
- supporting with risk assessments to provide assurance regarding the health and wellbeing of Trust staff and patients and to ensure a Covid secure workplace for all
10.5 The Trust may be required to share the outcomes of flu and COVID-19 tests to allow for greater understanding of COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks. The Trust may also share this data with other third parties as part of its duty to support staff health and welfare. Recipients of your data may include:
- Public Health England
- NHS England and NHS Improvement
- NHS Digital
- Your GP
- The Trust’s occupational health provider (currently Team Prevent)
- Other third parties supporting the Trust’s data quality assessments
- World Health Organisation
This may include negative as well as positive test outcomes.
Where possible, your test result and vaccination will be linked to your GP record. This will be done by NHS Digital, who will be acting jointly as Data Controllers with the Department of Health & Social Care. This will enable your GP to be informed of your test result without you needing to do anything.
Contact details
If you have any queries about this notice, need further information or wish to lodge a complaint you can contact the Trust’s Data Protection Officer whose details are set out below.
Data Protection Officer: Michael Morgan-Bullock, Head of Information Governance & Legal Services and DPO
Email: bchc.dpo@nhs.net
Telephone: 0121 466 7055
Birmingham Community Healthcare NHS Foundation Trust
3, Priestley Wharf
Holt Street
Birmingham
B7 4BN
ICO registration number Z243363X
In the event that BCHC has been unable to resolve your concerns you can raise the matter with the ICO directly, the ICO may be contacted at:
Information Commissioner’s office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk
Version Control
Version 1.3 dated 18 January 2022.
Updated to harmonise statements, ICO notices and code of practices (e.g. subject access requests), update data subject rights and refer to other privacy notices. Also to update list of databases used to determine vaccination status and accommodate the following new processes (a) Giltbyte E-expenses and (b) Thrive HR Benefit Application.
Version 1.4 dated 1 July 2022.
Updated to remove references to compulsory vaccination as the VCOD Regulations and Care Home Regulations have been revoked.
[1] UK Data Protection Law means (a) the Data Protection Act 2018 (as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) following the UK’s exit from the EU) (“DPA 2018”) (b) the UK GDPR (c) all applicable Law concerning privacy, confidentiality or the processing of personal data including but not limited to the Human Rights Act 1998, the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations 2003
[2] General Data Protection Regulation (GDPR) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
[3] Under the Health and Social Care Act 2008 (Regulated Activities) (Amendment) (Coronavirus) Regulations 2021 (amending the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014) a care home is required to ensure that anyone entering the premises has been double vaccinated from coronavirus.
[4] A calendar month starts on the day we receive a valid request, even if that day is a weekend or public holiday. It ends on the corresponding calendar date of the next month.
[5] When we charge a fee, disclosure time limit does not begin until we have receive payment.
[6] If your data is incomplete, you can ask for BCHC to complete it by adding more details.