The GDPR came into force on 25 May 2018 and sets out the principles which we, as a data controller, must adhere to when processing your personal data.

The GDPR principles are as follows:

• Lawfulness, fairness, and transparency – data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Purpose limitation – data must be collected only for specified, explicit and legitimate purposes.
• Data minimisation – data must be adequate, relevant, and limited to what is necessary.
• Accuracy – data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased.
• Storage limitation – data must only be stored for as long as is necessary.
• Integrity and confidentiality – data must be processed in a secure manner.
• Accountability – the data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.

The provision of personal data is necessary in order that the organisation can enter a contract with you to provide services for the organisation. If you fail to provide the details requested, we may be unable to comply with the terms of any contract with you or comply with our legal obligations to you.

We process the following categories of personal data about you:

• Name, address, contact details, date of birth
  • In order to enter into your contract of employment you are required to provide your personal details. If you do not provide this information, we will not be able to employ you.
• Terms and conditions of employment
• Qualifications and work experience as set out in job applications and CVs
• Bank account details and national insurance number
  • In order to enter into your contract of employment you are required to provide bank details and your national insurance number to the organisation. If you do not provide this information, we will not be able to process payments to you and account for tax and national insurance deductions to HMRC which we are required to do by law.
• Pensions scheme membership details
  • You are required under the terms of your contract to provide information about your pension scheme membership. If you do not provide this information, we will not be able to administer your pension benefits.
• Information about your right to work in the UK
  • In order to enter into your contract of employment, you are legally required to provide evidence of your right to work in the UK. If you do not provide this information, we will not be able to employ you.
• Information about criminal offences
  • In order to enter into your contract of employment, you may be required to provide information and agree to undertake a DBS check to enable us to confirm that you have no relevant unspent convictions or other factors that may put service users at risk and to verify your suitability for the position. If you do not provide this information, we will not be able to employ you.
• Periods of leave which are requested, and which have been taken (annual leave and sickness absence, maternity, paternity, parental leave)
  • You are required under the terms of your contract, and you are obliged under statute, to provide information about periods of leave. We require this information to provide you with your statutory and contractual benefits. If you do not provide this information, we may not be able to provide these benefits.
• Disciplinary and grievance procedures including warnings
• Records of appraisals and performance improvement plans
• Special category data
  • Information about your race or ethnicity, religious beliefs, sexual orientation, and political opinions
  • Information about your health, including any medical conditions, health and sickness records, and data about immunisations and vaccinations
• Use of our IT, communication and other systems
• Details of your use of business-related social media, such as LinkedIn, general social media and any non-business-related internet browsing or downloads during work time
• Details in references about you that we give to others.

We collect personal information about our workforce during the recruitment process directly from candidates or sometimes from an employment recruitment agency or background check provider. Personal data about our workforce is collected in many ways: through communications with you either face to face or in writing, email or on the telephone; through monitoring of our websites and our computer networks and connections, CCTV and access control systems, communications systems, remote access systems, from your doctors, from medical and occupational health professionals we engage, email and instant messaging systems, intranet, and internet facilities.

We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies.

We aim to ensure that our data collection and processing is always proportionate. We will notify you of any material changes to information we collect.

We process the personal data of our workforce for employment purposes but also to assist and support in the running and development of the health and care system, for example by improving the management of our workforce we can improve the experience of both staff and service users.

We will only use your personal data when the law allows us to and processing is necessary. The GDPR sets out six legal bases for processing personal data.

Depending on the processing activity, we rely on the following lawful basis for processing your personal data under the GDPR:

1. Article 6(1)(b) which relates to processing necessary for the performance of a contract. For example, employment contracts, contracts with doctors and dentists, contracts with contractors and agencies through which locums are engaged.
2. Article 6(1)(c) so we can comply with our legal obligations as your employer.
3. Article 6(1)(d) in order to protect your vital interests or those of another person.
4. Article 6(1)(e) where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Hever Care Limited.
5. Article 6(1)(f) Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We set out below the ways in which we process your personal data and the legal basis upon which we rely as set out above.

• Making a decision about your recruitment or appointment [Legitimate interest – the legitimate interest being the employment of a suitable workforce].
• Determining the terms on which you work for us [Legitimate interest – the legitimate interest being making appointments, maintaining good employment practices, and ensuring consistency of terms of employment across the workforce]
• Checking that you are legally entitled to work in the UK [Legal obligation]
• Where eligible, checking your criminal record [Legal obligation]
• Uploading information onto Employment Staff Record (ESR) [Legitimate interest – the legitimate interest being the employment of a suitable workforce; Contract – to administer payroll and pension].
• Paying you and deducting tax and National Insurance contributions [Contract/Legal obligation]
• Liaising with your pension provider [Contract]
• Administering the contract, we have entered into with you [Contract/Legal obligation]
• Business management and planning, including appraisal, accounting, and auditing [Legitimate interest – the legitimate interest being the effective and efficient management of the workforce and provision of health care services]

• Conducting performance reviews, managing performance and determining performance requirements [Contract/Legal obligation/Legitimate interest – contracts require compliance with Company policies, the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices in the provision of the healthcare service conducting disciplinary procedures – [Legal obligation/Contract/Legitimate Interest – contracts require compliance with Company policies and disciplinary process. The legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices in the provision of the healthcare service/Performing a task in the public interest]

• Making decisions about salary reviews [Contract]

• Assessing qualifications for a particular job or task [Legitimate interest – the legitimate interest being employment of a suitable workforce/Performing a task in the public interest].

• Gathering evidence for possible grievance or disciplinary hearings [Legal obligation/Contract/Legitimate interest – contracts require compliance with Company policies and disciplinary process. The legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices and the effective provision of health care services/Performing a task in the public interest].

• Making decisions about your continued employment or engagement [Legal obligation/Contract/Legitimate interest – contracts require compliance with Company policies and disciplinary process. The legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices and the effective provision of health care service/Performing a task in the public interest].

• Making arrangements for the termination of our working relationship [Legal obligation/Contract/Legitimate interest – contracts require compliance with Company policies and disciplinary process. The legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices and the effective provision of health care services/Performing a task in the public interest].

• Assessing and delivering upon education, training, and development requirements [Legitimate interest – the legitimate interest being the employment and development of a suitable workforce.

• Dealing with legal disputes involving you, or other employees, workers, and contractors, including accidents at work [Legal obligation].

• Ascertaining your fitness to work [Legal obligation].

• Managing sickness absence and assessing your right to occupational sick pay [Contract/Legal obligation].

• Complying with health and safety obligations [Legal obligation]

• To prevent fraud [Legal obligation].

• To monitor use of our information and communication systems to ensure compliance with our IT policies [Legitimate interest – the legitimate interest being to monitor use of equipment, systems and facilities provided to you for business purposes in accordance with our policies and to safeguard the personal data of employees and service users.

• To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution. [Legitimate interest – the legitimate interest being to protect our networks and safeguard the personal data of employees and service users. Equal opportunities monitoring [Legal obligation].

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

We will keep the personal data we store about you accurate and up to date. Data that is inaccurate or out of date will be destroyed. You are responsible for notifying us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you.

Under the Data Protection Act 1998, consent was the basis on which most employers processed the personal data of their workforce. Guidance issued in relation to the GDPR has stated that consent should only be relied on as the legal basis for processing where it is freely given, specific, informed, and unambiguous. We will not, generally, rely on consent as a legal basis for processing your personal data but in certain circumstances it may be deemed appropriate.

Where you provide consent to the processing of your data, you will be asked at the time the data is processed and you should be aware that you will be able to withdraw your consent at any time.

We will only process special category data about genetic and biometric data, and data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, and sexual orientation, where a further condition is also met.

Where the information we process is special category data, for example your health data, the additional bases for processing that we rely on are:

• Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights.

• Article 9(2)(c) to protect your vital interests or those of another person where you are incapable of giving your consent.

• Article 9(2)(h) for the purposes of preventative or occupational medicine and assessing your working capacity as an employee.

• Article 9(2)(f) for the establishment, exercise, or defence of legal claims.

• Article 9(2)(j) for archiving purposes in the public interest.

In addition, we rely on processing conditions at Schedule 1 part 1 paragraph 1 and Schedule 1 part 1 paragraph 2(2)(a) and (b) of the DPA 2018. These relate to the processing of special category data for employment purposes and preventative or occupational medicine and the assessment of your working capacity as an employee.

The conditions which will usually apply are that we have a legal obligation to process the information, where it is necessary to assess your working capacity on health grounds or, less commonly, where it is needed in relation to legal claims.

We will use your special category data in the following ways:

• information relating to leaves of absence, which may include sickness absence or family related leave, to comply with employment and other laws.
• information about your physical or mental health, or disability status, to ensure your health and safety in the
• workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
• information about your race or national or ethnic origin, religious, philosophical, or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
• trade union membership information to pay trade union premiums, register the status of a protected employee and to comply with employment law obligations.

• We process information about staff criminal convictions and offences. The lawful basis we rely on to process this data are:
• Article 6(1)(e) for the performance of our public task. In addition, we rely on the processing condition at Schedule 1 part 2 paragraph 6(2)(a).
• Article 6(1)(b) for the performance of a contract. In addition, we rely on the processing condition at Schedule 1 part 1 paragraph 1.

The CQC requires that we, as CQC-regulated service providers, carry out DBS checks where we are authorised to do so under legislation. You should be aware that certain roles within the organisation will require either a standard, enhanced or enhanced with barred list information DBS check to be carried out. For those providing healthcare services, standard checks may be obtained for individuals working in a role listed in schedule 1 to the ROA (Exceptions) Order 1975 (“ROA Exceptions Order”). Paragraph 15 states:

“Any employment or other work which is concerned with the provision of health services, and which is of such a kind as to enable the holder of that employment, or the person engaged in that work to have access to persons in receipt of such services in the course of his normal duties”.

An enhanced check may be obtained for the roles listed in the ROA Exceptions Order and also in the Police Act 1997 (Criminal Records) Regulations.

Enhanced DBS checks with barred list information can be obtained for individuals where roles fall under the definitions of regulated activity within the meaning of the Safeguarding Vulnerable Groups Act 2006 as amended by the Protection of Freedoms Act 2012.

We will only require a DBS check to be made where the role is eligible, and the check shall be at the appropriate level only and no higher. We will assess the relevance of any cautions and convictions detailed in the DBS check to the role for which the applicant has applied.

Given the sensitive nature of the information contained in a DBS certificate, the organisation will ordinarily only retain on file information about the level of check which was requested and the date on which the certificate was obtained.

For a very small number of staff who work in Immigration Removal Centres we will carry out additional counter terrorist checks.

On commencement of employment with the Company, your personal data will be uploaded to the Electronic Staff Record (ESR). ESR is a staff record structure operated by Hever Care Limited which is used to effectively manage the workforce leading to improved efficiency and improved client safety.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Retention periods for personal data will vary according to the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We ordinarily follow the retention periods set out in the NHS Records Management Code of Practice.

You should be aware that employee documentation is ordinarily retained for six years after termination of employment, which is the statutory limitation period for breach of contract claims, and then promptly deleted once that period has passed. A summary of your records will be kept until your 75th birthday or six years after leaving whichever is the longer and then reviewed. For unsuccessful job candidates, documentation is retained for six months after he or she is rejected for a role and then deleted.

However, it should be noted that there is some legislation which requires certain health monitoring data to be retained for up to 40 years and for clinical staff where there is a negligence claim in relation to a child, the normal three-year personal injury limitation period is extended until that child reaches 21 years of age. We have put a system in place so that the data of staff which may be at risk of certain diseases or where they were involved in an incident that could give rise to a clinical negligence claim which require a longer retention period than six years are marked appropriately as needing to be retained for a longer period.

If we are able to anonymise your personal data so that you can no longer be identified from it, we may use such information without further notice to you.

We may have to share your data with third parties, including third-party service providers, for example to operate the Pension Scheme. We may also need to share your data with third parties such as external contractors and our professional advisers.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

“Third parties” includes third-party service providers (including contractors and designated agents) and other entities.

See “Data Recipients” below for further details about third parties the Company has nominated and their purpose.

We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if the third-party agrees to comply with those procedures and policies, or if it puts in place adequate measures.

Maintaining data security means guaranteeing the confidentiality, integrity, and availability (for authorised purposes) of the personal data.

You have the following rights under the GDPR:

• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to ask to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
• Object to processing of your personal information on grounds relating to your particular situation where we are relying on a legitimate interest (or those of a third party) or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Hever Care Limited as the lawful basis for processing
• Request the restriction of processing of your personal information on the following grounds:
  • you contest the accuracy of the personal data for a period enabling us to verify the accuracy;
  • the processing is unlawful, and you oppose the erasure of the personal data and requests restriction instead;
  • we no longer need the personal data for the original purposes of the processing, but the data is required by you for the establishment, exercise or defence of legal claims;
• Request the transfer of your personal information to another party, also known as portability.

Please contact the DPO in writing (contact details above) if you would like to exercise any of your rights under the GDPR.

Please be aware that whilst a fee will not normally apply where there is a request to access your personal data, we may charge a reasonable fee if your request for access is repeated and/or clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

You should be aware that you have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. The contact details of the ICO are as follows:

Helpline: 0303 123 1113
ico.org.uk/concerns/