Employee / Worker Privacy Notice
This Privacy Notice explains what personal information we collect from you, how we store this personal information, how long we retain it and with whom and for which legal purpose we may share it.
Please note that the terms ‘employee’ and ‘worker’ are referred to throughout this privacy notice to cover the different types of contracts held within Oxford Health NHS Foundation Trust.
Who are we?
Oxford Health NHS Foundation Trust (OHFT) provides physical, mental health and social care for people of all ages across Oxfordshire, Buckinghamshire, Wiltshire, Bath and North East Somerset.
The Trust employs more than 6,000 employees and flexible workers providing care over four counties. Our services are delivered at community bases, hospitals, clinics and in people’s homes. We focus on delivering care as close to home as possible.
Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 (subject to parliamentary approval) and our registration number is Z1411013.
Why do we collect personal information about you?
The Trust collects, stores and processes personal information about prospective, current and former staff and workers to ensure compliance with legal or industry requirements.
What is our legal basis for processing your personal information?
Processing of employee/workers personal information is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller (the Trust) or of the data subject (staff member/worker) in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
The Trust does not require explicit consent of employees/workers to process their personal data if the purpose falls within the legal basis detailed above.
You can find further information on this legislation on the website below.
What personal information do we need to collect about you and how do we obtain it?
Personal information about you will largely be collected directly from you during your recruitment and contract.
Personal information may also be collected from employees/workers in certain circumstances, through routine update checks such as professional registration and DBS clearances.
In order to carry out our activities and obligations as an employer we handle data in relation to:
- Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
- Contact details such as names, addresses, telephone numbers and emergency contact(s)
- Employment checks as per NHS Employers standards
- Employment history and reference checks
- Proof of eligibility to work in the UK
- Bank details
- HMRC details (to include tax code)
- Pension details
- Occupational health information (medical information including physical health, mental conditions and vaccination status e.g. flu, COVID or any other required vaccination)
- Information relating to health and safety
- Employment Tribunal applications, complaints, accidents, and incident details
What do we do with your personal information?
Your personal information is processed for the purposes of:
- Staff administration and management
- Workforce management
- Payroll administration
- Pensions administration
- Registration to NHS Care Identity Service
- Communication in the event of an emergency and/or welfare check.
Who do we share your personal information with and why?
We will not routinely disclose any information about you without your express permission. However, in order to enable effective administration and comply with our obligations as your employer, we will share the information which you provide during the course of your contract (including the recruitment process) with the NHS Business Services Authority for maintaining your employment records, held on systems including the national NHS Electronic Staff Record (ESR) system and Workforce Management System.
Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Personal Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.
Where possible, we will always look to anonymise/ pseudonymise your personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it, and will only ever use/ share the minimum information necessary. However, there are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
For any request to transfer your data internationally outside the UK/EU we will make sure that an adequate level of protection can be satisfied before the transfer.
There are a number of circumstances where we have a legal duty to share information about you to comply or manage with:
- Disciplinary/ investigation processes; including referrals to Professional Bodies, e.g. NMC and GMC
- Legislative and/or statutory requirements
- Court Orders which may have been imposed on us
- NHS Counter Fraud requirements
- Request for information from the police and other law enforcement agencies for the prevention and detection of crime and/or fraud if the crime is of a serious nature
As a Trust we do use third party providers to facilitate your employment with OHFT who require us to share your personal information, for example:
- Our Payroll provider, Salisbury NHS Trust
- Our DBS provider, CareCheck
- Our Staff Survey Processer, Picker Institute Europe
How do we maintain your records and keep your information secure and confidential?
We take security and confidentiality very seriously. Employees and workers are required to abide by Trust Policy which defines the strict codes of conduct expected from anyone accessing your personal information, and participate in regular Information Governance training and workshops at Trust Induction.
Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.
We hold and process your information in accordance with the Data Protection Act 2018 (subject to Parliamentary approval) as amended by the GDPR 2016, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
OHFT takes Cyber Security seriously and has dedicated teams of people who are regularly reviewing and updating security to the Trusts Confidential and Personal data both about the Trusts patients, staff and workers.
We have a duty to:
- maintain full and accurate records of the care we provide to you
- keep records about you confidential and secure
- provide information in a format that is accessible to you
What are your rights?
If we need to use your information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 (subject to Parliamentary approval) gives you certain rights, including the right to:
- Request to access the personal data we hold about you, e.g. personnel records.
- Request the correction of inaccurate or incomplete information recorded in our records, subject to certain safeguards. Contact the Information Governance Team for further information
- Request that your information be deleted or removed where there is no need for us to continue processing it and where the retention time has passed;
- Ask us to restrict the use of your information where appropriate
- Ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information
- To object to how your information is used.
If you wish to access the personal data we hold about you, please contact the Trust’s Human Resources Department in writing.
Please remember to include details of the information you require plus contact details and two forms of identification such as a copy of your driving license/ passport and also a document with your name and address on such as a utility bill.
Who to contact for further help
Please contact Human Resources at:
HR, The White Building
Littlemore Mental Health Centre
Data Protection Officer
Director of Corporate Affairs, Company Secretary & Data Protection Officer
Head of Information Governance & Deputy Data Protection Officer
IM&T, The White Building
Littlemore Mental Health Centre
33 Sandford Road
Information Commissioners Office*
- Information Commissioner’s OfficeWycliffe House, Water LaneWilmslowCheshire
Helpline: 0303 123 1113
*The Information Commissioner’s Office (ICO) is the body that regulates the Trust under Data Protection and Freedom of Information legislation. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you have the right to complain to the ICO.
Page last reviewed: 22 December, 2021