Staff Privacy Notice
During the course of NHS Shetland activities we will collect, store and process personal information about our prospective, current and former staff. For the purposes of this Data Protection Notice, ‘staff’ includes applicants, employees, workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.
We recognise the need to treat staff personal information in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. This Data Protection Notice provides a summary of how we will ensure that we do that, by describing:
- the categories of personal information we may handle
- the purpose(s) for which it is being processed, and
- the person(s) it may be shared with.
This notice also explains what rights you have to control how we use your information. Please read it carefully to understand what we do.
What laws are relevant to the handling of personal information?
The law determines how organisations can use personal information. The key legislation governing the use of information is listed below:
- Data Protection Legislations
- The Human Rights Act 1998
- Freedom of Information (Scotland) Act 2002
- Computer Misuse Act 1998
- Regulation of Investigatory Powers Act 2000, and
- Access to Health Records Act 1990.
NHS Shetland is the ‘Data Controller’ (the holder, user and processor) of staff information.
What types of personal information do we handle?
In order to carry our activities and obligations as an employer we handle information in relation to:
- name, home address, telephone, personal email address, date of birth, employee identification number and marital status, and any other information necessary for our business purposes, which is voluntarily disclosed in the course of an employee's application for and employment with us
- national insurance number
- special category information: for example, data about race, ethnic origin, religious or philosophical beliefs, trade union membership, health, and sexual orientation (collected only where required by law and used and disclosed only to fulfill legal requirements)
- absence information, e.g. annual leave, sickness absence, study leave, maternity leave, paternity leave
- occupational health clearance information (see OH Privacy Notice)
- qualification and training information; and
- statutory and voluntary registration data.
- CCTV data, if your Board uses this.
- Swipe access cards, if your Board use them.
When you are no longer our employee, we may continue to share your information as described in this notice, i.e. so long as this is fair and lawful.
What is the purpose of processing data?
Your personal information is collected by NHS Shetland and shared with NHS SCOTLAND for the purposes of employee management. It will be captured and stored on an electronic system and will be used and shared by human resources (HR) professionals in NHS Shetland and board(s) where you are working in any capacity.
Occupational health clearance information – referred to as the Occupational Health Passport – will be shared by NHS Shetland with occupational health professionals in the Board, and Boards where you have been offered employment.
We use information about you in order to:
- evaluate applications for employment
- manage all aspects of your employment with us, including but not limited to, payroll, benefits, corporate travel and other reimbursable expenses, development and training, absence monitoring, performance appraisal, disciplinary and grievance processes, pensions administration, and other general administrative and human resource related processes
- develop workforce and succession plans
- maintain sickness records, and occupational health programme
- administer termination of employment and provide and maintain references
- maintain emergency contact and beneficiary details, which involves us holding information on those nominated by you
- comply with applicable laws (e.g. health and safety), including judicial or administrative orders regarding individual employees (e.g., child support payments); and
- share and match personal information for the national fraud initiative.
Sharing your information
There are a number of reasons why we share information. This can be due to:
- our obligations to comply with current legislation, and
- our duty to comply with any Court Order which may be imposed.
Any disclosures of personal information are always made on case-by-case basis, using the minimum personal information necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know,” or where you have consented to the disclosure of your personal information to such persons.
In order to comply with our obligations as an employer we will need to share your information as follows:
Reasons why we share your personal information
Who we share your information with
(the list below is not exhaustive)
For the purposes outlined above
Human resources, occupational health and line managers
Professional registration purposes
Regulatory bodies such as the General Medical Council
Contractual terms and conditions of service
Scottish Training Database
The Scottish Advisory Committee on Distinction Awards (SACDA)
Training and Development
NHS Scotland training administrators
Scottish Workforce Information Standard System (SWISS). For more information see: www.swiss.scot.nhs.uk
Pay, time and attendance
Payroll NHS Shetland and the Scottish Standard Time System (SSTS)
National and internal Employee Directory
General public and internally to NHS Scotland employees
National Fraud Initiative. Every year, the NHS is required to participate in the National Fraud initiative. As part of this, we provide payroll information for data matching. Data matching involves comparing sets of data, such as payroll or benefits records of an organisation, against other records held by the same or another organisation.
Further information about the National Fraud Initiative is available from Audit Scotland: www.audit-scotland.gov.uk
Background on sharing and our responsibilities
Privacy laws do not generally require us to obtain your consent for the collection, use or disclosure of personal information for the purpose of establishing, managing or terminating your employment. In addition, we may collect, use or disclose your personal information without your knowledge or consent where we are permitted or required by law or regulatory requirements to do so.
The GDPR and Data Protection Legislation require personal information to be processed fairly and lawfully. In practice, this means that NHS Shetland must:
- have a legal basis for collecting and using personal information;
- not use the data in ways that have unjustified adverse effects on the individuals concerned;
- be transparent about how it intends to use the data – and give individuals appropriate Data Protection Notices when collecting their personal information;
- handle people’s personal data only in ways they would reasonably expect; and
- make sure it does not do anything unlawful with the data.
NHS Shetland legal basis for collecting and using staff personal information and/or special category such as health information, is because it is necessary to do so when staff have an employment contract with the Board or potentially entering into an employment contract.
Information about the rights of individuals under the Data Protection Legislation can be found within the NHS Shetland Privacy Notice.
Transferring personal information outside of the UK
Some of the processing we do may require personal information to be transferred to a country or countries outside the UK. These transfers will be made in full compliance with Data Protection regulations and in accordance with the NHS Shetland Information Security Policy.
Security of your Information
We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal information for which we are responsible, whether computerised or on paper.
At director level, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality. We also have a Data Protection Officer who is responsible for the Boards data protection compliance and who liaises with the SIRO and Caldicott Guardian.
All staff are required to undertake regular information governance training and to be familiar with information governance policies and procedures.
Everyone working for the NHS is subject to the law of confidence. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless required or permitted by the law.
How do we collect your information?
Your information will be collected on a national workforce information system; this system is not held locally within your Board. The national system manager is authorised for full access nationally, providing access and accounts for NHS Boards system administrators. NHS Shetland has 5 staff in this role – all within HR.
We also collect information in a number of other ways, for example correspondence, forms, interview records, references, surveys.
We only keep your information for as long as it is necessary to fulfill the purposes for which the personal information was collected. This includes for the purpose of meeting any legal, accounting or other reporting requirements or obligations. The NHS Scotland retention policy sets out the minimum retention timescales.
We may, instead of destroying or erasing your personal information, make it anonymous so that it cannot be associated with or tracked back to you.
How can you get access your personal information?
You have the right to access the information which NHS Shetland holds about you, and why, subject to any exemptions Requests can be made in a number of ways, including in writing or verbally. You will need to provide:
- adequate information [for example full name, address, date of birth, staff number, etc.] so that your identity can be verified and your personal information located.
- an indication of what information you are requesting to enable us to locate this in an efficient manner.
- We may ask you to complete an application form to collect the data we need, although you are not obliged to do so.
You should direct your request to the Data Protection Officer – details can be found on page 9.
We aim to comply with requests for access to personal information as quickly as possible. We will ensure that we deal with requests within 30 days of receipt unless there is a reason for delay that is justifiable.
What if the data you hold about me is incorrect?
It is important that the information which we hold about you is up to date. Staff can amend some elements of personal information as required via the national workforce information system. If any other changes not accessible via this route are required then it is important that you let us know by contacting your manager and the HR team.
Freedom of Information
The Freedom of information (Scotland) Act 2002 (FOISA) provides any person with the right to obtain information held by NHS Shetland, subject to a number of exemptions. Personal information is often exempt, however. If you would like to request some information from us, please send your request to either your Board’s FOISA Officer or the Data Protection Officer– contact details can be found on page 9.
It is possible, in certain circumstances, for staff data to be released under FOISA. If this was to occur, the relevant Data Protection requirements and guidance from the Information Commissioner’s Office (ICO) would be followed.
Any request to access personal information we hold about you will be handled under the Data Protection Legislations and GDPR.
Complaints about how we process your personal information
In the first instance, you should contact the Data Protection Officer – contact details can be found on page 9. Information about the rights of individuals under the Data Protection Act can be found online at:
How to contact the Information Commissioner’s Office (ICO)
You can contact the ICO at the following address and email:
Information Commissioner’s Office
Wilmslow SK9 5AF
How to contact us
Please contact us if you have any questions about our Staff Privacy Notice or information we hold about you:
Data Protection Officer
Upper Floor Montfield