Employee Privacy Notice
During the course of its employment activities, EEAST collects, stores and processes personal information about prospective, current and former staff.
This includes applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.
We recognise the need to treat personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.
What types of personal data do we handle?
In order to carry out our activities and obligations as an employer we handle data in relation to:
- Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
- Contact details such as names, addresses, telephone numbers and Emergency contact(s)
- Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
- Bank details
- Pension details
- Medical information including physical health or mental condition (occupational health information)
- Information relating to health and safety
- Trade union membership
- Offences (including alleged offences), criminal proceedings, outcomes and sentences
- Employment Tribunal applications, complaints, accidents, and incident details
- CCTV Images
Our staff are trained to handle your information correctly and protect your confidentiality and privacy.
We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.
What is the purpose of processing data?
- Staff administration and management (including payroll and performance)
- Pensions administration
- Business management and planning
- Accounting and Auditing
- Accounts and records
- Crime prevention and prosecution of offenders
- Education
- Health administration and services
- Information and databank administration
- Sharing and matching of personal information for national fraud initiative
We have a legal basis to process this as part of your contract of employment (either permanent or temporary) or as part of our recruitment processes following data protection and employment legislation.
Sharing your information
There are several reasons why we share information. This can be due to:
- Our obligations to comply with legislation
- Our duty to comply any Court Orders which may be imposed
Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a need to know, this information is already known to the agency/body, or where you have consented to the disclosure of your personal data to such persons.
Data Retention
Information is held for specified periods of time as set out in the EEAST Retention Schedule and as per the Records Management Code of Practice (2023).
Use of Third Party Companies
To enable effective staff administration EEAST may share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer.
Employee Records; Contracts Administration (NHS Business Services Authority)
The information which you provide during your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.
Prevention and Detection of Crime and Fraud
We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.
We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.
Individual rights
Data Protection laws gives individuals rights in respect of the personal information that we hold about you:
- To be informed why, where and how we use your information
- To ask for access to your information
- To ask for your information to be corrected if it is inaccurate or incomplete
- To ask for your information to be deleted or removed where there is no need for us to continue processing it
- To ask us to restrict the use of your information
- To ask us to copy or transfer your information from one IT system to another in a safe and secure manner, without impacting the quality of the information
- To object to how your information is used
- To challenge any decisions made without human intervention (automated decision making)
It should be noted that in some cases there is a further legal basis where those processes listed above are restricted.
The Trust has a right to inform you if there is a breach of your details or if something has gone wrong with your care. This is called Duty of Candour (Health and Social Care Act 2008) or the right to inform (under DPA). Duty of Candour is a legal duty to be open and honest when something goes wrong. Wherever possible, Duty of Candour discussions must be held with the patient/or person involved directly. For more information on this, please see the Trust's Duty of Candour policy
Information regarding COVID information can be found on the COVID section of our privacy notice.
Should you have any further queries on the uses of your information, please contact the Trusts Data Protection Officer on dpo@eastamb.nhs.uk.
If you remain unhappy with an outcome of your enquiry you can write to the Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or telephone them on 01625 545700.