Who is responsible for your information?
Blackpool Teaching Hospitals NHS Foundation Trust (‘the Trust’) provides a range of health-related services across a regional health economy catchment area that spans Lancashire and South Cumbria. To do this, the Trust needs to collect and use personal information about you as a staff member; this makes the Trust a ‘data controller’.
The Trust is registered as a data controller with the Information Commissioner’s Office (ICO); our registration number is Z505220.
For the purposes of this notice, the term ‘staff’ includes:
• applicants (successful and unsuccessful);
• employees (current and former);
• workers, including agency, casual, bank and contracted staff (current and former);
• students, trainees, and apprentices (current and former);
• volunteers and those on work experience placements (current and former); and,
• any other persons working for the Trust, paid or unpaid, either directly or via a third party.
As a data controller, the Trust is committed to providing you with clear and accessible information about how and why we process your information; the ways in which your information may be used; and your rights in relation to this. These rights apply to living individuals who are identifiable from the information, often referred to as data subjects.
This privacy notice complements the Trust’s Privacy Notice for Our Service Users, which can be found here.
What information does the Trust collect?
When you apply for a position at the Trust, you provide relevant information about yourself, which may include:
• personal demographics (such as name, date of birth, etc.)
• personal contact details (such as address, telephone number, email address);
• details of your skills, qualifications, employment history (current and previous), experience, training history and professional membership (if relevant); and,
• referee details.
If you are invited to interview, the Trust may collect additional information, such as:
• correspondence, interview notes, and results of any tests that you’re asked to complete as part of the selection process;
• copies of relevant qualifications and certificates;
• details of pre-employment checks;
• your nationality and immigration status (to confirm your right to work in the UK);
• your National Insurance number, tax, and bank details;
• details of your pension;
• remuneration, including your salary and entitlement to benefits;
• details relating to trade union membership;
• your criminal record;
• your ethnicity, gender, religion, and sexual orientation; and,
• your medical history relevant to your employment, including physical health, mental health, and absence history.
If you are employed by the Trust, the following may also be collected:
• your image (for security and ID badges);
• your employment contract and terms and conditions of employment;
• details relating to appraisal and performance reviews, formal and informal employment conversations (e.g., one-to-ones), periods of leave, sickness absence, and other work-related matters for managing your day-to-day employment;
• information relating to employee relations, such as disciplinary proceedings, attendance management, incidents, or complaints;
• training records, including mandatory training;
• documentation maintained and updated during your employment relating to, but not limited to, professional memberships, qualifications, revalidation, right to work, and identity checks;
• healthcare information that you have shared with your manager and/or Occupational Health;
• security and audit information relating to your use of Trust ICT equipment and systems, including the use of NHS smartcards;
• records of physical access to areas and CCTV recordings when you’re on Trust premises;
• information relating to your vehicle;
• information relating to staff benefits and salary sacrifice schemes;
• any other personal information recorded as a normal part of your work activity.
This list is not exhaustive, and there may be other information processed by the Trust in the context of a staff relationship – this privacy notice will be regularly reviewed and updated to reflect any significant changes.
This information may be held in a variety of formats, including paper records, electronic systems (such as ESR), and in audio and video files.
Where the information requested is mandatory for the Trust to comply with statutory requirements, such as immigration or taxation, failure to provide this information may affect our ability to accomplish the purposes outlined in this notice and your ongoing employment at the Trust.
Why does the Trust need this information?
The Trust may use your information for a range of purposes to facilitate your role at the organisation, manage our services, meet our legal and statutory obligations, and exercise our rights as an employer.
• To facilitate the recruitment process, which includes compliance with requirements relating to the Disclosure and Barring Service (DBS) and the right to work in the UK.
• To maintain up-to-date records of all individuals working for the Trust.
• To support and manage day-to-day employment, such as periods of leave and sickness absence; appraisals and performance reviews, etc.
• To facilitate employee relations processes, such as disciplinary proceedings, attendance management, incidents, or complaints.
• To provide and monitor education and training, including mandatory training compliance.
• To ensure ongoing eligibility to work at the Trust, including professional memberships, qualifications, revalidation, right to work, and identity checks.
• To support staff wellbeing and fitness to work, including referral to and provision of Occupational Health services.
• To provide communications about the Trust, including news and events, and about your employment.
• To provide access to equipment, services, and areas, such as ICT/system access and access to Trust sites.
• To manage a safe environment and, including safeguarding and the prevention, detection, and investigation of crime.
• To enable the payment of salaries and wages, sick pay, maternity pay, and reimbursement/expenses, and deductions such as PAYE, National Insurance, and pension contributions, and any other financial administration, such as staff benefits/salary sacrifice schemes.
• To monitor and understand the profile of the organisation’s workforce, e.g., equality and diversity analysis, to ensure fair and consistent treatment of minority groups, and meet our Trust’s obligations under equal opportunities legislation.
• To ensure that the organisation can deliver all the patient services that our Trust has been commissioned to provide, with the appropriate roles and skillsets across our staffing population.
• To enable workforce modelling, to ensure that services meet patient needs now and in the future.
• To comply with legal obligations, such as external or statutory returns to bodies including, but not limited to, NHS England, NHS Improvement, NHS Business
Services Authority, HM Revenue & Customs (HMRC), and professional bodies such as the General Medical Council (GMC) and Nursing and Midwifery Council (NMC).
What is the Trust’s lawful basis for collecting this information?
In order to process your information, the Trust must have a legal basis under the Data Protection Act 2018 (DPA 2018) and Article 6 of the UK General Data Protection Regulation (UK GDPR). When processing ‘special category’ personal data, the Trust must also have a legal basis under Article 9 of the UK GDPR. The relevant conditions are outlined below.
• Data Protection Act 2018:
o Schedule 1, Part 1(1) – ‘the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.’
• UK General Data Protection Regulation:
o Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.
o Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out… in the exercise of official authority vested in the controller.’
o Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’
o Article 9(2)(h) – ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’
Our Trust will process your personal information to enable us to run our services and manage our relationship with you effectively, legally, and appropriately – this includes, during the recruitment process; while you are working at the Trust; and after you have left the Trust.
This includes using your information to enable us to:
• comply with the employment contract;
• comply with any legal and statutory requirements;
• carry out our rights and obligations as an employer;
• pursue any relevant legitimate interests of the Trust; and
• ensure our Trust’s position in the event of legal proceedings.
The Trust does not require consent as a legal basis to process personal information if the purpose falls under the legal bases outlined above.
How does the Trust keep your information secure and how long is it retained for?
The Trust processes your personal information for the purposes outlined in this privacy notice. When your information is held in an electronic format, it will only be stored, accessed, and shared using secure electronic systems, such as ESR and NHSmail. When held in paper format, your information will be stored safely and securely, e.g., in locked storage areas and cabinets/cupboards, to prevent unauthorised access. Your information will only be accessed and used by authorised individuals with a legitimate reason to do so.
The Trust will only retain your personal information for as long as required to fulfil the purposes for which it was collected, or as otherwise required under relevant laws and regulations. Your information is processed in accordance with the NHSx ‘Records Management Code of Practice 2021’ (August 2021), which outlines applicable retention schedules.
Who does the Trust share your information with?
To enable effective management of your employment or to comply with our obligations as an employer or public authority, the Trust may be required to share your personal information. Your information will only be shared when there is a legitimate purpose, ‘need to know’ and legal basis for sharing; only the information which is relevant to that purpose will be shared; and, only with appropriate and effective security controls in place to protect the information.
The Trust may need to share your personal information with the organisations and for the purposes which are outlined below.
• Disclosure and Barring Service (DBS) for criminal records checks, and the Home Office/Foreign Office regarding the right to work in the UK and identity checks.
• HM Revenue & Customs (HMRC) for taxation and related purposes.
• NHS Business Services Authority to facilitate NHS Pensions.
• Staff benefits and salary sacrifice providers to facilitate any offers or schemes in which you may choose to participate.
• Staffing agencies to facilitate the employment of agency staff.
• Educational institutions, such as universities (e.g., University of Central Lancashire – UCLan), to facilitate training and education, and work experience placements.
• Other NHS organisations to facilitate staff movement if your employment transfers or is seconded, including via TUPE processes.
• Police and other law enforcement agencies for the prevention, detection, and investigation of crime.
• NHS Counter Fraud Authority and other counter fraud agencies for the prevention, detection, and investigation of fraud.
• Any relevant parties to comply with a Court Order.
• Any relevant parties in relation to Safeguarding matters.
• Professional bodies, such as the General Medical Council (GMC) and Nursing and Midwifery Council (NMC), for the purposes for disciplinary and investigation processes.
• NHS England and NHS Improvement in accordance with mandatory requirements in relation to our role as an NHS trust, public authority, and employer.
The Trust is subject to the Freedom of Information Act 2000 (FOIA) which provides the public with access to information held by public authorities. Personal information is normally exempt from the FOIA, but may be disclosable in certain circumstances (e.g., details relating to very senior colleagues).
What are your rights in relation to your information?
The Data Protection Act 2018 (DPA 2018) and UK General Data Protection Regulation (UK GDPR) provide the rights outlined below to individuals regarding their information.
• To be informed – We need to tell you about how we use your information.
• To access your information – You can ask to view or have a copy of any information we hold about you.
• To rectification – We will amend any errors in the information we hold about you if it is agreed to be inaccurate or incomplete.
• To erasure – Also known as ‘the right to be forgotten’. This empowers individuals to have personal information about them erased where there is no overriding legal justification for its processing.
• To restriction – You have the right to request that we stop processing your personal information on a temporary basis without deleting it.
• To portability – This enables individuals to obtain and reuse their personal information for their own purposes across different services.
• To object – This provides the right for you to object to us processing your information
under certain circumstances.
• To not be subject to a decision based solely on automated processing, including profiling.
• To be informed if a data breach occurs that is likely to result in a high risk to your rights and freedoms.
The ways in which these rights apply in practice depends on:
• the legal basis for processing the information; and,
• the situation, known as ‘restrictions’, which are applied when it is seen as a necessary and proportionate measure in a democratic society to safeguard aspects such as, but not limited to, national or public security, defence, and the prevention, detection, and investigation of crime.
Further information about these rights can be obtained from the ICO’s website. If you wish to make a request under these rights, the Data Access team can be contacted by email at email@example.com or by telephone on 01253 956802.
How can you discuss the Trust’s use of your information and how can you make a complaint?
The Trust has a Data Protection Officer (DPO) who is tasked with monitoring how the Trust protects and uses your information. The Trust’s DPO is Hayley Atkinson, Head of Information Governance and Health Records, who can be contacted by email at firstname.lastname@example.org or by telephone via (01253) 953057.
We also have a dedicated Information Governance Helpdesk who can assist with any queries relating to the use of personal information in the Trust, and can be contacted by email at email@example.com or by telephone on (01253) 953057.
Or you may wish to speak to the Trust’s Freedom to Speak Up Guardian, who can be contacted by email at firstname.lastname@example.org or by telephone on 07814463497.
If you are not happy with how the Trust has handled your personal information, then we would ask that you contact us to give us the opportunity to resolve this with you in the first instance. If you remain dissatisfied, you also have the right to complain to the Information Commissioner’s Office (ICO), who can be contacted via their website or by telephone on 0303 123 1113.