Human Resources and Organisational Development - privacy notice
Who we are?
Derby City Council is the local government unitary authority for Derby City. Our address is The Council House, Corporation Street, Derby, DE1 2FS. You can contact our Data Protection Officer on 01332 640763 or by email at firstname.lastname@example.org.
How do we collect information from you?
We collect information from you when you visit www.derby.gov.uk, when you fill in any forms using our customer portals or on our website, including myAccount; also when you contact us in writing, speak to us on the phone, by email or any other type of electronic communication, or talk to us face to face.
What types of information do we collect from you?
We collect information from you when you visit www.derby.gov.uk; also when you contact us in writing, speak to us on the phone, by email or any other type of electronic communication, or talk to us face to face.
We collect different categories of information about you, depending on the service you want from us and/or the reason why we need to process information relating to you. This could be personal information (for example your name and address), or other more sensitive data that we would only collect and use in very particular circumstances that are set out in law.
We may require information about your vaccination status from you or your employer to enable visits to care homes and other council facilities.
What is the lawful basis?
The legal basis for data processing we are relying on comes from Article 6 of the UK General Data Protection Regulation (UK GDPR). The following sections apply;
- Article 6(1)(c) Legal Obligation -Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Article 6(1)(d) Vital interest -the processing is necessary to protect someone’s life;
- Article 6(1)(e) Public task -the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
Special category data:
- It is necessary to share sensitive information for the purposes of carrying out the obligations and exercising specific rights in the field of social protection law, for the provision of health or social care treatment or the management of health or social care systems. (Article 9 2(h) UK GDPR).
- Public health processing-it is necessary for reasons of public interest in the area of public health (Article 9 2 (i) UK GDPR)
- Some special category data is available on sight, and therefore is already in the public domain. As such the primary justification for processing this information is; personal data which are manifestly made public by the data subject, in accordance in Article 9 (e).
We process all information in accordance with our legal obligations and public tasks arising from the following provisions:
- The Employee Rights Act 1996
- The National Minimum Wage Act 1998
- The Employee Relations Act 1999
- The Maternity and Parental Leave etc. Regulations 1999
- The Transfer of Undertakings (Protection of Employment) Regulations 2006
- The Agency Workers Regulations 2010:
- The Equality Act 2010
- The Working Time Regulations 1998
- The Data Protection Act 2018
- The Coronavirus Act 2020
- The Health Protection (Notification) Regulations 2010
- The Public Health (Control of Disease) Act 1984 and associated Regulations
- The Care Act 2014
- The Safeguarding Vulnerable Groups Act 2006
- The Health and Safety at Work Act 1974
- The Health and Social Care Act 2008 (Regulated Activities) (Amendment) (Coronavirus) Regulations 2021
Details of information obtained from third parties?
- Tax codes, student loan notifications and such like from H M Revenue and Customs
- court orders from H M Court Service and other courts
- details of voluntary deduction information from pension providers, union bodies, benefit providers and such like
- sickness information from FirstCare
- vaccination information from Partners where appropriate.
How is your information used?
Whilst this HR privacy notice primarily relates to employees, agency workers, volunteers, and prospective employees, please note that we may be required to process your information in accordance with employment legislation and/or prospective and actual legal claims if:
- you make a complaint that specifically relates to a member of staff or;
- your personal information it is linked to an employment matter, for example an issue with the quality of service you receive
We may use your information, in accordance with the Council’s public tasks, legitimate interests, legal obligations and where applicable consent, in order to:
- pay you accurately
- produce pay statements
- manage your employment under our relevant employment policies
- to share data with First Care in accordance with contract of employment. Sickness absence information is provided directly to First Care by the employee in line with the absence recording policy enabling employee absence monitoring and Triage employee support service.
- provide you with access to your information through self-service portals
- respond to statutory returns including equality returns
- process your employee benefits
- process any voluntary deductions you request
- process statutory deductions
- allow the administration of your personal pension
- allow for the transfer of budget information
- allow independent auditors to ensure that we are complying with our internal policies and processes
- support the administration of our processes in relation to mail merges, printing and mailing services
- allow you to access the relevant external training linked to your personal development or apprenticeship
- undertake pre-employment checks should your employment application be successful (for job applicants)
- transfer data into payroll for successful applicants (for job applicants)
- complete anonymised equalities statutory returns and to target future recruitment campaigns
- support employment claims
- manage employee performance and skills
- promote collaboration and ensure you are identifiable to colleagues, service users and citizens
- promote and adhere to equality and diversity obligations and practices
- manage training and development
- authenticate access to IT systems and Council information assets (please see further details within the digital services privacy notice.)
- carry out relevant checks, where applicable, in relation to HMG Baseline Personnel Security Standards
- enable colleagues to access health services
- ensure effective response to the COVID-19 epidemic to ensure the safety, wellbeing and care of colleagues
- ensure that health & safety risks are addressed
- manage complaints related to employment matters
- investigate and manage grievances and complaints
- manage quality of service provision
- comply with official investigations. These include but are not limited to Local Government Ombudsman, Information Commissioner, Care Quality Commission, and Ofsted.
- to assess and determine your suitability for roles, this includes assessing your COVID-19 vaccination status
- to comply with the requirements of statutory bodies such as the Care Quality Commission, Public Health England and Social Work England and so on.
We may share your information with other authorities or statutory agencies, to prevent or detect fraud or protect public funds.
Where consent has been requested, you can opt out by emailing StrategicHR@derby.gov.uk.
In accordance with the schedule 1 (1), (2) & schedule 2 of the Data Protection Act 2018, & Article 6 (b), (c) & (f) of the UK General Data Protection Regulation; we may monitor the use of council assets, staff conduct & records of time keeping for purposes such as preventing and detecting criminal acts, investigating unauthorised use, making sure that policies are being followed and for training and quality control.
Examples of such monitoring may include but is not limited to: CCTV, surveillance, swipe card data, system audits, remote working, IT usage, conduct, performance and the use & management of financial assets.
Please note that all staff are not routinely monitored in a blanket manner – all monitoring will be proportionate and justified.
Coronavirus has been added as a notifiable disease under the Health Protection (Notification) Regulations 2010. Under the Public Health (Control of Disease) Act 1984 and associated Regulations; and the Coronavirus Act 2020 and associated Regulations the Council has a legal duty to store, process and share personal information. The information will be stored, processed and shared as part of the national, and local Coronavirus Test and Trace operations where necessary for investigations, as well as the testing and tracing of individuals, groups or businesses; and to assist in the investigation into cases of Coronavirus; Coronavirus outbreaks and issues of non-compliance with the Acts and associated Regulations. The information will also be used; interrogated and mapped to inform the Councils actions and decision making processes. Any such storage, processing or sharing of information will be done in the public interest in order to promote health and wellbeing.
During the management of Coronavirus risks, information which is gathered may be shared between departments within Derby City Council; with other Councils associated with an outbreak; other health services or with other government bodies associated with the control of the Coronavirus. Such Information includes, but is not limited to; personal identifiers, health information including vaccination information. The Council has a duty to notify national Government bodies, such as Public Health England, The Care Quality Commission and the relevant local authority where an individual resides (if different), where there are suspected Coronavirus cases. The Council will disclose the information under Article 9(2)(j) of the UK GDPR (processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health), and confidential information may be lawfully disclosed in the public interest, without consent, where the benefits to an individual or to society outweigh both the individual’s and the public interest in maintaining the confidentiality of such data.
The Council may contact staff, service users, residents, patients, businesses and premises with messages relating to Coronavirus by text, phone, letter or e-mail. This contact is not direct marketing; therefore we do not need your Consent before contacting you. There is more information available on the national Information Commissioners Office approach to the current epidemic here: https://ico.org.uk/
Research and statistics
Anonymised and pseudonymised data may be used for research and statistical purposes. Any data collected may be used for research and statistical purposes that are relevant and compatible with the purpose that the data was collected for.
What are your rights in relation the personal data we process?
- Access – you can request copies of any of your personal information that is held by the Council.
- Rectification – you can ask us to correct any incorrect information.
- Deletion – you can ask us to delete your personal information. The Council can refuse to delete information if we have a lawful reason to keep this.
- Portability – you can ask us to transfer your personal data to different services or to you.
- Right to object or restrict processing – you have the right to object to how your data is being used and how it is going to be used in the future.
- Right to prevent automatic decisions – you have the right to challenge a decision that affects you that has been made automatically without human intervention, for example an online form with an instant decision.
National Data Opt Out
We are one of many organisations working within health and social care to improve health and wellbeing for patients as well as the public. Information collected from you when you use our services may be stored and shared with services or partner organisations for purposes other than your individual care, for instance to help with:
- Improving the quality and standards of care provided
- Research into the development of new treatments
- Preventing illness and diseases
- Monitoring safety
This may only take place when there is a clear legal basis to use this information. Confidential information about your health and care will only be used in limited circumstances where it is not possible to use anonymised data.
You have a choice about whether you want your confidential information to be used in this way. If you are happy for your information to be used in this way you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
For more information or to register your choice to opt out please visit https://www.nhs.uk/your-nhs-data-matters/. You can choose to opt in at any time.
Please be aware that the National Data Opt Out does not apply to information used for marketing purposes, your data would only be used in this way with your specific agreement.
All Health and Social Care organisations should have systems and process in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.
Our organisation is compliant with the national opt out policy.
Who has access to your information?
We may share your information with:
- Other Council Departments, Managers, Headteachers/School Business Managers, Time Administrators, Internal Audit, DMC/Business Support and Parking Services to ensure we meet our statutory and contractual duties
- Both internal & external customers, and services users, will have access to information relating to you acting in your professional capacity and your personal contact details. We will of course balance disclosures with our duty of confidence to you and your expectation of privacy
- External organisations such as; H M Revenue and Customs, Disclosure and Barring Service, H M Court Service, Police Authority, Department for Education, Department of Work and Pensions, Pensions Administrators (Derbyshire Pension Fund for Local Government Pension Scheme, Teachers Pension, Prudential, Standard Life, NHS Pension and NEST), voluntary payroll deductions, Employee Benefits Provider, external auditors, Payroll/HR software providers, external organisation linked to TUPE legislation. This is for the purposes allowed by law as well as provision of information to pension administrators and other third parties’ payroll deduction where you are a member. These third parties include Government Departments, other Local Authorities and private sector companies, as allowed by law. This would include sharing relevant information with external training providers supporting your personal development or apprenticeship
- Health and Social care partners to ensure that care is accessible and where applicable administered to colleagues
- Organisation such as the Local Government Ombudsman, Information Commissioner, Care Quality Commission, Public Health England, Department of Health and Social Care and Ofsted (this is not an exhaustive list).
We may share information in accordance with the National Fraud Initiative. For more information please refer to:
- GOV.UK - National Fraud Initative
- Our National Fraud Initiative page
We will not sell or rent your information to third parties.
We will not share your information with third parties for marketing purposes.
How long will we keep your information for?
We keep and dispose of all records in line with our record retention schedule. We will comply with Data Protection legislation.
What security precautions are in place to protect the loss, misuse or alteration of your information?
We are strongly committed to data security and will take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard the information you provide to us. However, we cannot guarantee the security of any information you transmit to us. We recommend that you take every precaution to protect your personal information.
Keeping your data up to date
We want to ensure any information we hold is accurate. You can help us by promptly informing us of any changes to the information we hold about you.
Cookies are small text files which identify your computer to our servers. They are used to improve the user experience. View what cookies we use and how you can manage them.
Internet Protocol (IP) addresses are collected when our site is used:
- for statistical/analytical purposes
- to identify any malicious activity
If you would like to make a complaint regarding the use of your personal data you can contact our Data Protection Officer;
- By post: Information Governance, The Council House, Corporation Street, Derby, DE1 2FS
- By phone: 01332 640763
- By email: email@example.com
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO):
- By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- By phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number