Human Resources privacy notice
The Human Resources Service cares about your privacy and are committed to collecting and processing your personal information in accordance with fair and transparent information practices and in accordance with the General Data Protection Regulation (2016/679 EU) Data Protection Bill 2018.
This notice explains how the Human Resources Service handles the personal information of employees, applicants, apprentices, former employees, and temporary agency workers in the course of its human resources activities in order to manage the employment relationship.
The General Data Protection Regulation (GDPR) requires employers to be transparent about the personal data that they hold and how it is used. This document sets out this information in relation to personal data held and used within the Human Resources Service.
What personal information is being processed and what for
The Human Resource Services collects and processes a range of information about you on behalf of Cheshire East Council. This includes;
- Your name, address and contact details, including email address and telephone number, date of birth and gender;
- The terms and conditions of your employment;
- Your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
- Your remuneration, including entitlement to benefits such as pensions ;
- Details of your bank account and national insurance number;
- Information about your marital status, next of kin, dependants and emergency contacts;
- Your nationality and entitlement to work in the UK;
- Your suitability to undertake specified posts (through a DBS check in respect of a criminal record (please note you will be made aware of the need for a DBS check at the point of application);
- Details of your schedule (days of work and working hours) and attendance at work;
- Details of periods of leave taken by you, including holiday, sickness absence, family leave and the reasons for the leave;
- Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
- Assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence;
- Information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief (it will be your choice whether or not to provide this information at the point of contact).
Why the organisation processes personal data
The Council needs to process data to:
- Enter into an employment contract with you and to meet its obligations under your employment contract. For example, it needs to process your data to provide an employment contract, to pay you correctly and to administer benefit and pension entitlements.
- Ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled. In other cases, the organisation has a legitimate interest in processing personal data before, during and after the end of the employment relationship.
Processing employee data allows the organisation to;
- Run recruitment and selection processes, conduct pre-employment checks, including determining your legal right to work in the UK, carry out DBS checks (where necessary), make offers of employment and provide contracts of employment;
- Plan its resources including succession planning, budgetary and financial planning, organisational and development planning, workforce management, administration, business reporting and analytics
- Process payroll, compensation and benefits including salary, tax, salary sacrifice, pensions and business travel and expense management;
- Highlight and manage workplace issues or risks;
- Maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
- Operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace and to carry out internal reviews, investigations and audits;
- Operate and keep a record of employee performance and related processes, to plan for career development, provide workforce development and for education and training purposes
- Operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
- Obtain occupational health advice, to ensure that it complies with duties in relation to individuals with work-related injury and illness or disabilities and to meet its obligations under health and safety law. Ensuring that employees are receiving the pay or other benefits to which they are entitled
- Administer flexible working arrangements
- Operate and keep a record of all types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, ensuring that the organisation complies with its duties in relation to leave entitlement, and to ensure that employees receive the pay or other benefits to which they are entitled
- Manage physical access control, authorise administer, monitor and terminate access to or use of facilities, records, property and infrastructure including communications services such as telephones, laptops and email/internet use
- Ensure effective general HR and business administration, including communicating with you and facilitating communication between you and other people
- Provide references on request for current or former employees
- Respond to and defend against legal claims; and
- Maintain and promote equality in the workplace
Please note that these examples are illustrative and non-exhaustive.
Why we are allowed to use your information
We need to collect and use your personal information for a number of purposes as described in relation to the performance of your employment contract.
Where we are using your information outside of our contractual relationship and where we are not conducting a task in the public interest, the organisation relies on its legitimate interests as a reason for processing data. We will consider whether or not those interests are overridden by the rights and freedoms of employees or workers and will proceed only where we conclude that they are not.
Data on criminal convictions and offences including information relating to criminal allegations and proceedings is processed through the DBS service to carry out the organisation’s legal obligations relating to the employment of vulnerable adults or children.
Special categories of personal data are defined as information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data. This information is held and processed for the purposes of equal opportunities monitoring. Your explicit consent will be requested at the point of collection and this consent is optional.
Where your information is collected for the Employee Assistance Programme and other employee well-being programmes or benefit schemes, your explicit consent will be requested at the point that you gain access to the schemes.
Who we will share your information with
Your information will be shared with the Human Resources team, your line manager and other relevant officers for a legitimate reason as described above, and with third parties in order to:
- Obtain pre-employment checks such as references from former employers/other organisations;
- Undertake necessary criminal records checks from the Disclosure and Barring Service (for specifically identified posts);
- Provide payroll services including information to pension scheme providers; the provision of occupational health services and for the provision of training;
- Determine eligibility and appropriate level of study for training programmes and courses e.g. Apprenticeships
- Evidence attendance at training courses and programmes to maintain CPD records;
- Fulfil the Council’s legal obligations e.g. HRMC, pensions agencies, Student Loans, government agencies, Health and Safety Executive or as instructed by the Court system.
- Fulfil the Council’s obligations in respect of statutory returns e.g. Skills for Care National Minimum Dataset Statutory Return, Children’s Social Work Workforce Return.
We may disclose your personal information for legitimate purposes to:
- Agencies who perform services on behalf of the Council for the aforementioned purposes;
- A newly formed or acquiring organisation if it is involved in a merger, sale or a transfer of some or all of its business;
- Any recipient, if we are required to do so, such as by applicable court order or law;
- Any recipient, with your consent, such as for employment verification or bank loans; or
Any recipient when reasonably necessary such as in the event of a life-threatening emergency.
Where we get your information from
The organisation collects your information in a variety of ways. For example, data is collected from;
- Application forms and CVs;
- Your passport or other identity documents such as your driving licence;
- Documentation completed by you at the start of or during employment;
- Qualification certificates;
- Correspondence and progress reports from training providers;
- Correspondence with you;
- Interviews, meetings or other assessments.
From third parties, such as references supplied by former employers and information from the organisations employment background check and information from criminal records checks (DBS) as permitted by law.
How long we will keep your personal information
The organisation will hold your personal data for the duration of your employment.
The periods for which your data is held after the end of employment are set out in the Information Asset Register .
Your personal information will be retained for as long as necessary to achieve the purpose for which it was collected, usually for the duration of any contractual relationship and for any period thereafter as legally required or permitted by applicable law.
If in the future we intend to process your personal data for a purpose other than that for which it was collected we will provide you with information on that purpose and any other relevant information at that time.
How your information is stored
Data is stored in the following places:
- Personnel file on Sharepoint (HR Docs);
- Case files in HR electronic storage systems
- the Council’s HR management system;
- Line manager’s electronic and other storage systems, the archived secure storage based at Northwich Salt Mines, and
in other IT systems (including the organisation's email system, the Council’s recruitment processing system, and the Occupational Health Provider’s system).
How we protect your personal information
The Human Resources Service have security arrangements in place to guard against unauthorised access, improper use, alteration, destruction or accidental loss of your personal information through the use of password protected systems and processes.
You are required to help with this by ensuring that your own personal information and that of your colleagues and third parties are kept secure. You should not share your (or anybody else’s) personal information unless there is a genuine business reason for doing so.
We take appropriate organisational and technical security measures and have rules and procedures in place to ensure that any personal information we hold on computer systems is not accessed by anyone it shouldn’t be.
When we use third party organisations to process information on our behalf we ask them to demonstrate their compliance with our security requirements, and any instructions we may give them ensure their compliance with relevant data protection legislation.We take reasonable steps to ensure that personal information is accurate, complete, and current.
Please note that you have shared responsibility with regard to the accuracy of your personal information. Please notify Human Resources of any changes to your personal information or that of your beneficiaries or dependents. .
What happens if you don't provide us with your information
Certain information, such as contact details, your right to work in the UK and payment details, must be provided to enable the organisation to enter a contract of employment with you and for legal reasons. You have some obligations under your employment contract to provide the organisation with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith.
You may also have to provide the organisation with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.If you do not provide other information, this will hinder the organisation's ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
Will your information be used to make automated decisions
No, employment decisions are not based on automated decision-making.
Will this information be transferred abroad
The information supplied in your job application is stored on servers that are owned and maintained by Oracle within the European Economic Area (EEA).
Where the supplier transfers data outside of the EU in order to perform its service and function, they are acting as Cheshire East’s processor. As such the data will be covered by GDPR.
Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data. You have:
- The right to be informed about the processing of your personal data
- The right to rectification if your personal data is inaccurate or incomplete (requests to amend data will normally be processed within one month)
- The right of access to your personal data and supplementary information, and the right to confirmation that your personal data is being processed
- The right to object to the processing of your personal data for direct marketing, scientific or historical research, or statistical purposes.
- The right to be forgotten by having your personal data deleted or removed on request where there is no compelling reason for Cheshire East Council to continue to process it (requests to amend data will normally be processed within one month)
- The right to restrict processing of your personal data, for example, if you consider that processing is unlawful or the data is inaccurate. You can ask the organisation to stop processing data for a period if the data is inaccurate or there is a dispute about whether or not your interests override the organisation's legitimate grounds for processing the data.
- The right to data portability of your personal data for your own purposes (for example, you will be allowed to obtain and reuse your data
If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
If you believe that the organisation has not complied with your data protection rights, you should discuss the issue with your supervisor or another supervisor or manager, and contact the Human Resources department.
If you would like to exercise any of these rights, please contact Cheshire East Council’s Data Protection Officer, Julie Gibbs on 01270 686606 or Julie.firstname.lastname@example.org.
You have the right to lodge a complaint to the Information Commissioners’ Office if you believe that Cheshire East Council has not complied with the requirements of the GDPR or DPA 18.