Quick job search

Staff Privacy Notice

In 2023, Isle of Wight NHS Trust (IWT) and Portsmouth Hospitals University NHS Trust (PHU) formed an NHS Group. Whilst this is not a merger, it will enable greater collaboration between the two organisations.

To enable this, the Group has implemented arrangements for a shared workforce, which means that staff can move between both organisations.

As the two trusts work more closely together, the single corporate and support structure has been designed so that services can operate across both sites. This will include the provision of HR services for staff of both trusts.

The two trusts remain separate organisations but for the purposes of data protection legislation, IWT and PHU are Joint Controllers. This means that both trusts jointly determine the purposes and means of processing your personal data. Both organisations are registered separately with the regulator for data protection, privacy and electronic communications, the Information Commissioner’s Office (ICO).

Isle of Wight NHS Trust’s ICO registration number is Z3116597.

Portsmouth Hospitals University NHS Trust’s ICO registration number is Z5031878.

 

Types of Information that we collect and hold

The trusts collect and processes a range of information about you including:

  • Your personal details such as your name, address, telephone numbers, personal email address and date of birth, next of kin details in order to administer your employment, manage our business and ensure that we can contact you in an emergency
  • Terms and conditions of your employment
  • Your national insurance number, tax and bank details, in order to pay you and details of your pension in order to enrol you onto the relevant scheme
  • Information about your skills, qualifications, employment history, experience and (where relevant) professional membership, training history in order to verify your skills and to comply with our legal obligations
  • Your nationality and immigration status to confirm your eligibility to work in the UK
  • Information about your remuneration, including entitlement to benefits
  • Trade union membership
  • Information about your criminal record
  • References
  • Medical information relevant to your employment, including physical health, mental health and absence history - in order to monitor sick leave and take decisions about your fitness to work as well as whether or not you have a disability for which the Trust needs to make reasonable adjustments
  • Information relating to your health and safety at work, and any incidents or accidents
  • Equal opportunities monitoring information, including information about ethnicity, gender, health, religion or sexual orientation, in order to monitor our compliance with equality legislation
  • Information relating to your driving licence, tax, MOT and insurance status for mileage expenses claims.
  • Details of your working patterns (days of work and working hours) and attendance at work to ensure correct pay
  • Details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave
  • Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you (including tribunal claims) and related correspondence
  • Assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
  • Visual images, personal appearance and behaviour, for example if CCTV images are used as part of building security and ID badges
  • The Trusts collects this information in a variety of ways, for example:
  • Application forms or CVs and personal statements
  • Personal records/documents such as your passport, driving license or other identity documents
  • Forms completed by you at the start or during employment (such as new starter form, ID checks, OH referrals, PDR records)
  • Correspondence with you (emails)
  • Interviews or other assessments
  • In person (through meetings or over the telephone)
  • Questionnaires or registration forms
  • Timesheets (both paper and electronic)
  • From third parties (previous employer(s), NHS jobs, pensions agency, information from employment background checks providers including educational establishments, the Disclosure and Barring Service, professional bodies, medical and GP records, government bodies like HM Revenue and Customs, the Department for Work and Pensions, or the UK Visas and Immigration, Electronic Staff Record (IBM) and Allocate

 

How we store your data:

The trusts take their duties to protect your personal information and confidentiality seriously.

The trusts are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether electronic or on paper. Your data will be stored in a range of different places and is kept safe and secure. All records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards.

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide in confidence will only be used in connection with the purpose for which it was provided, unless you have given specific consent or there are other special circumstances covered by law.

Your information will only be retained for as long as necessary. Records are maintained in line with the Records Management Policy and the Records Management Code of Practice for Health and Social Care which determines the length of time records should be kept.

Why we process personal data:

The trusts need to process data to enter into an employment contract with you and to meet their obligations under your employment contract.

For example, they need to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer relevant benefits such as your pension and insurance entitlements.

In some cases, the trusts need to process data to ensure that it is complying with their legal obligations. For example, to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.

In other cases, the trusts have a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows the trusts to:

  • run recruitment and promotion processes
  • maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights
  • quality monitoring (such as staff surveys)
  • operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace
  • operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes
  • operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled
  • obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled
  • operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the Trust complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled
  • ensure effective general HR and business administration
  • provide references on request for current or former employees
  • respond to and defend against legal claims
  • provide details of available bank shifts
  • national fraud initiatives
  • maintain and promote equality in the workplace

Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities).

Where the special categories of personal data are being processed, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring.

 

Who will have access to your data:

As permitted by the Joint Controller Agreement, staff within the HR services across both trusts may access your personal data, however, this will be restricted to those who have a need to access it in order to carry out their duties.

In addition to this to support you in your employment and to enable us to meet our legal responsibilities as employers, sometimes we will need to share your information with others. For example, sending statutory information to government organisations such as HM Revenue and Customs, or releasing information to the police or counter fraud. Where mandatory disclosure is necessary only the minimum amount of information is released.

There may also be occasions when the Trusts are reviewed by an independent auditor, which could involve reviewing randomly selected staff information to ensure we are legally compliant.

We will also share your personal data with external third parties in some circumstances such as:

  • Regulators such as the GMC, NMC or HCPC and government authorities such as HMRC or the police, if we are required to do so by law or if the regulator or authority requests it and we regard that request as reasonable
  • Our insurers, legal advisers or other third parties who need access to it in the context of managing, investigating or defending claims or complaints
  • Suppliers who need it to provide a service to us, such as our lawyers, third party benefit scheme (salary sacrifice)

Lawful condition under which your personal data is being processed

Article 6 (b) of the General Data Protection Regulation states that personal data is lawful if the “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

And subsequently:

Article 9 (b) of the General Data Protection Regulation states that processing of special categories of personal data is lawful if the “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;”

This is the lawful basis on which the Trusts will process the personal data of staff for workforce related matters.

 

Access to records:

Under the General Data Protection Regulation, you have the right to request access to the information that we hold about you.

Any formal requests for access should be addressed to our Information Governance Team. We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within one month of receipt unless there is a reason for delay that is justifiable.

You also have the right to know:

  • What personal data we hold about you
  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients to whom the personal data has/will be disclosed
  • How long we intend to store your personal data for
  • If we did not collect the data directly from you, information about the source

If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to update/correct it as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.

 

How to make a complaint:

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. Depending on the nature of your complaint, we would recommend contacting your line manager in the first instance. Alternatively, you can contact our Information Governance team who will help you to identify the most appropriate procedure to follow based on the specifics of your complaint.

If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:

Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Web: https://ico.org.uk/concerns/   Phone: 0303 123 1113

Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.