Employee privacy notice

How we use your data

Cheshire & Wirral Partnership NHS Foundation Trust is registered as a data controller with the Information Commissioner’s Office (ICO) for the purposes of the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) and is committed to ensure that it collects, stores and processes personal information about prospective, current, and former staff safely and legally.

Who does this notice apply to?

This notice applies to all current, past or prospective staff including agency, casual and contracted staff, volunteers, trainees and those carrying out work experience from recruitment to employment and beyond.

What information is provided by you?

When you apply for a position within the Trust, you will provide us with relevant information about you including:

  • Name and contact details
  • Employment history
  • Qualifications
  • Referee/reference details

During the recruitment and selection processes we will begin to add further information including:

  • Copies of qualifications and certificates
  • Pre-employment checks, including references, identity documents, right to work check information and vaccination records.
  • Publicly available information such as social media presence
  • Selection information including correspondence, interview notes, results of any selection tests that you may be undertake

Following your appointment, we may add any other information you supply to us or is required as part of your employment such as revalidation information.

What information do we get from other sources?

Information may be provided about you from a number of sources during your recruitment and on-going employment with the Trust including:

  • Disclosure and Barring Service disclosures, where applicable, which will tell the organisation about any criminal convictions you may have
  • Referees providing confidential information about your suitability to the role
  • Inter Authority Transfer (IAT) – Information held by your previous NHS employer
  • Information from HM Revenue and Customs (HMRC) relating to your pay and employment
  • Information about your right to work and visa applications
  • Pension Information when transferring within the NHS
  • Information from your manager and HR team relating to your performance, sickness absence and other work-related matters
  • Confirmation of your registration with a professional body
  • Data relating to your vaccination status such as that related to Covid

What types of personal data do we hold?

Personal data

The Trust will hold personal data about you for example: Name, address, telephone number, staff number, gender, NI Number, next of kin/emergency contact details, professional membership information, reference information and bank details

Sensitive personal data (special categories)

The Trust will also hold sensitive personal data including racial or ethnic origin, religious beliefs, trade union membership, health (including occupational health and vaccination status data where applicable), sexual orientation, criminal convictions and disabilities.

How do we use staff data?

The Trust uses staff data for all purposes associated with the administration of the employer/employee relationship and to meet our legal obligations. The purposes for which we may use staff data (including sensitive personal information) include:

  • Process your recruitment application and correspond with you in relation to Trust vacancies
  • Maintaining staff records
  • Recruitment and selection
  • Managing Human Resource employment matters (e.g. promotion, training and development, conduct, attendance, appraisals, management progress, grievances, misconduct investigations, disciplinary actions and complaints)
  • Administering finance (e.g. salary, pension and staff benefits)
  • Complying with visa requirements
  • Providing facilities such as IT/system access, library services and car parking
  • Monitoring equal opportunities
  • Preventing and detecting crime, such as using CCTV and using photo’s on ID badges
  • Processing biometric data (finger or thumb) for access control to Trust property see GDPR@traka.com
  • Providing communication about the Trust, news and events
  • Maintaining contact with past employees
  • Provision of wellbeing and support services
  • Compliance with legal obligations such as making external/statutory returns to NHS England, sharing information with HMRC and ensuring medicated vaccination status is maintained.
  • Carrying out research, surveys and statistical analysis (including using third party data processors to carry out the national staff survey)
  • To enrol you as a Foundation Trust member
  • Carrying out audits
  • To issue text message reminders of trust appointments i.e. Occupational Health appointments or training reminders
  • Meeting recording using MS Teams (please note that where meetings are being recorded an 'information banner' will be

The Trust processes sensitive personal data for a number of administrative purposes:

  • Equal opportunities monitoring
  • Managing Human Resources processes such as administering sick pay and sick leave, managing absence, administrating Maternity Leave and associated pay schemes
  • Managing a safe environment and ensuring fitness to work
  • Managing obligations under Equal Opportunities Legislation
  • Provision of Occupational Health and Wellbeing service to individuals including that related to your Covid and Flu vaccination status. 
  • Payment of trade union membership fees
  • To understand patterns of staff career development to ensure we can plan for a sustainable workforce for the future.
  • Under the processing of sensitive personal data for administrative purposes add “Workforce Planning Monitoring.

How do we share your data with third parties?

The Trust may disclose personal and sensitive information with a variety of recipients including:

  • Our employees, agents and contractors where there is a legitimate reason for them receiving the information

  • Current, past or potential employers of our staff to provide or obtain references
  • Professional and regulatory bodies (e.g. Nursing and Midwifery Council (NMC), Health and Care Professions Council (HCPC), General Medical Council (GMC) in relation to the confirmation of conduct including complaints, job description and information provided as part of the recruitment process.
  • Government departments and agencies where we have a statutory obligation to provide information (e.g. HMCR, NHS Digital, Department of Health and the Home Office)
  • The Disclosure and Barring Service (DBS) and DBS Update Service where we require a DBS check for certain roles
  • Third parties who work with us to provide staff support services (e.g. counselling)
  • Crime prevention or detection agencies (e.g. the police, security organisations, department for works and pensions and local authorities) This may include key fob, premises access systems and Trust owned electronic devices.  We may also share this information with other bodies that inspect and manage public funds. 
  • Internal and external auditors
  • Debt collection and tracing agencies
  • Courts and tribunals
  • Trade union and staff associations
  • Survey organisations for example for the annual staff survey
  • Third parties who work with us to provide workforce planning and analysis platforms

All disclosures of personal data are considered on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place.  Information is only shared with where there is a "legal basis" for doing so or where you have consented to the disclosure of your personal data to such persons.

Sharing information with the NHS business service authority

The Trust also shares employee records information with: NHS Business Services Authority.

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system. On commencement of employment with the organisation, your personal data will be uploaded into the ESR system. ESR is a workforce solution for the NHS which is used by the organisation to effectively manage the workforce leading to improved efficiency. In accepting employment with the organisation, you accept that the following personal data will be transferred in accordance with streamlining staff movement principles, if you accept an offer with another NHS organisation, or your employment transfers or is seconded to another NHS organisation the following information will be shared:

  • Personal data e.g. name, DOB, address, NI Number, to enable the new NHS employer to verify who you are
  • Employment Information e.g. your position, salary, grade, employment dates, dates of any sickness (excluding absence reasons), to enable you to be paid correctly and the new employer to calculate appropriate NHS entitlements for annual leave and sickness
  • Training compliance / competency dates, to reduce the need to repeat nationally recognised training and statutory and mandatory training

This information will be shared via the Inter Authority Transfer (IAT) which is the secure process where information is transferred from one NHS employer to another.

How is your information kept up to date?

You are responsible for promptly notifying the Trust about and changes in your information such as a change of address, telephone number or name. The Trust will take all available steps to ensure that information about you is kept up to date.

How long is your information kept for?

The Trust will retain your records no longer than is necessary in line with its obligations under data protection law.

For details of how long your data will be retained please see national retention guidelines here.

What legal basis is used for processing my information?

The Trust will only ever process your personal information where it is able to do so by law and using one of a number of legal basis available under the Data Protection Act 2018 and General Data Protection Regulation 2016 (GDPR).

The legal basis we use most often as follows:

  • Performance of a contract – applies where we are required to process your information in order to facilitate your contract of employment.
  • Legal Obligations – In many cases we have a legal obligation to hold and process information about you for example informing HMRC of the tax and National Insurance Contributions you have made and ensuring the safety and care of our patients and staff.
  • Legitimate Interests – In some cases for example sharing data between NHS organisations via IAT the Trust will rely of legitimate interests of the business function.

Where we process special category data about you (i.e. racial or ethnic origin, religious beliefs, trade union membership, health, sexual orientation, criminal convictions and disabilities) we will ensure this is done so using the following one of the following legal basis:

  • Employment Rights – Carrying out obligations and specific rights required by us as an organisation for the purposes of employment (e.g. monitoring the equality and diversity of our workforce or DBS checking)
  • Preventative or Occupational Medicine – assessing the working capacity of our employees including the processing of vaccination data such as that related to Covid.

What are my individual rights?

You have certain rights with respect to the data held about you by the Trust. These are:

  • To be informed why, where and how we use your information – this is fulfilled by this privacy notice however please contact cwp.HRAdmin@nhs.net
  • you have any questions regarding this.
  • To ask for access to your information (commonly known as subject access) – please direct any subject access requests to cwp.HRAdmin@nhs.net
  • To ask for your information to be corrected if it is inaccurate or incomplete – please direct any requests under this process to cwp.HRAdmin@nhs.net
  • To ask for your information to be deleted or removed where there is no need for us to continue processing it – please direct any requests under this process to cwp.HRAdmin@nhs.net
  • To ask us to restrict the use of your information – please direct any requests under this process to cwp.HRAdmin@nhs.net
  • To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information – please direct any requests under this process to cwp.HRAdmin@nhs.net
  • To object to how your information is used – please direct any requests under this process to cwp.HRAdmin@nhs.net
  • To challenge any decisions made without human intervention (automated decision making – please direct any requests under this process to cwp.HRAdmin@nhs.net

Further information

Questions regarding the use of your information should be directed to your line manager in the first instance.

HR questions should be directed to cwp.HRAdmin@nhs.net or 01244 393107.

Questions regarding occupational health data should be directed to cwp.ohmanager.referrals@nhs.net.

General questions about this notice should be emailed to cwp.HRAdmin@nhs.net.

Should you wish to lodge a complaint about the use of your information, please contact the Trust’s Data Protection Officer at gill.monteith@nhs.net or Gill Monteith, Information Governance Lead/DPO, Trust Headquarters Redesmere, Countess of Chester Health Park, Liverpool Road, Chester CH2 1BQ.