Privacy Notice for Staff

About Birmingham Prostate Clinic

Birmingham Prostate Clinic (BPC) is the trading name of The Birmingham Prostate Clinic Ltd, Registered Office: Wilson House, Waterberry Drive, Waterlooville, Hampshire, United Kingdom, PO7 7XX.  Company Registration Number 05509497.  Registered in England & Wales.

BPC is registered with the Information Commissioner’s Office, registration number ZA441424.

Introduction

BPC is a wholly owned subsidiary of Genesis Cancer Care UK Limited (GenesisCare) and for the purposes of data protection legislation BPC and GenesisCare jointly control your data.

We will collect, store and process personal data about prospective, current and former staff in order to carry out our business activities and obligations as an employer. We recognise the need to treat staff personal data in a fair, lawful and transparent manner. We have developed this privacy notice to inform you what to expect when we collect and use information about you. It sets out:

  • What information we collect
  • Why we collect personal information
  • How we look after it
  • How to exercise your rights, and
  • How we meet our legal and other duties under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

 

When we ask you for information, we will ensure we do so legally and will handle your information in a manner which respects your privacy.

We will:

  • Ask only for what we need, and not collect irrelevant information
  • Protect your information from loss, damage, misuse, unauthorised access or disclosure
  • Make sure we do not keep your information for longer than necessary
  • Keep your personal data accurate and up-to-date
  • Not disclose your data to third parties without your permission unless required to do so by law.

 

We ask that you:

  • Give us accurate information, and
  • Tell us as soon as possible if there are any changes, such as new contact details, as this helps us to keep your information accurate and up to date.

 

The GenesisCare privacy notice can be found on the GenesisCare website: www.genesiscare.com/uk/

This privacy notice

For the purposes of this privacy notice, ‘staff’ includes employees, bank staff, contractors, agency placements, clinical placements, locums, honorary position holders, secondees, students, trainees, those carrying out work experience and volunteers.  Separate privacy notices have been provided for Consultants and other External Individuals and for Job Applicants.

This privacy notice covers information in all formats including email, audio recordings, photographs, online forms and paper documents.

The lawful basis for processing your personal data and the retention period for the records which we hold about you can be found in a table at the end of this privacy notice.

What information do we collect?

In order to carry out our activities and obligations as an employer we handle personal data and special category personal data.

Personal data means any information relating to an identifiable person who can be directly or indirectly identified for example by a name, date of birth, an identification number, location data, etc.

Special category personal data is information about an individual’s racial or ethnic origin; political opinion; religious or philosophical beliefs; trade union membership; sex life or sexual orientation; health, including genetic and biometric data where processed to uniquely identify an individual.  Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

The information that we collect about you includes details such as:

  • Name, address, telephone, email, date of birth and photograph
  • Next of kin
  • Recruitment and employment checks, such as, professional membership, references, proof of identification and right to work in the UK
  • Bank account pension, tax and national insurance details
  • Personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs
  • Medical information relevant to your employment, including physical health, mental health and absence history, and whether you have a disability or require any additional support or adjustments for your employment
  • Information relating to your health and safety at work, and any incidents, accidents or dangerous occurrences
  • Professional registration and qualifications, education and training history, appraisals and other performance measures
  • Trade union membership
  • Information relating to employee relations, for example, disciplinary proceedings, grievances and complaints, tribunal claims
  • Still, moving and audio images
  • Equal opportunities information
  • Information about any current or previous criminal offences.
  • Records of holidays or other periods of absence

If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.

Why we collect your personal data

We will keep and use your information to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, whilst you are working for us and at the time when your employment ends and after you have left.

We will only process your personal data where the activity can be legally justified under UK law. We collect and use personal data about you to support the following purposes (in some cases this may be role dependent):

  • Managing employee communications and relations
  • Providing compensation and benefits
  • Administering payroll, statutory and company sick pay, health insurance or life insurance policies
  • To comply with our health and safety and occupational health obligations
  • Screening and monitoring of employees, as a condition of employment, in particular Disclosure and Barring Service
  • Processing corporate expenses and reimbursements
  • Managing employee participation in human resources plans and programs
  • Carrying out obligations under employment contracts
  • Providing occupational health and wellbeing services to individuals
  • Supporting and managing your professional development and undertaking reviews of your performance
  • Ensuring you are up to date with statutory and mandatory training and supporting additional training and talent development needs as appropriate
  • Conducting employee surveys
  • Providing informative and promotional information about the company, team and our services
  • Facilitating employee relocations and international assignments
  • Managing employee headcount and office allocation
  • Managing mergers, acquisitions and divestitures
  • Managing the employee termination process
  • Providing facilities such as building access and car parking provision
  • Managing a safe working environment
  • Managing information technology and communications systems, such as the corporate email system and company directories
  • Monitoring access through usernames and log-ins to the use of company IT equipment, network, internet (and where appropriate, building) to ensure adherence to our policies and procedures
  • Tracking how you our systems are used for improvement and statistical purposes
  • Conducting ethics and disciplinary investigations
  • Equal opportunities monitoring
  • To protect your vital interests where you cannot give your consent or your consent cannot reasonably be obtained, for example, in a medical emergency
  • To protect another person’s vital interest and you have unreasonably withheld your consent
  • To meet our statutory obligations or in response to a court order
  • For the purpose of prevention or detection of crime, the apprehension or prosecution of offenders
  • Administering employee grievance, claims and litigation
  • Managing audit and compliance matters
  • Management reporting analysis
  • Complying with applicable legal obligations, including government reporting and specific local law requirements
  • Administrative purposes during clinical trials
  • Using your personal data within our systems and communications so that Health Care Professionals, suppliers, patients and any other party we share information with for our business purposes, know who you are and are able to contact you
  • Providing you with appropriate tools, systems and access to support so that you are able to carry out your tasks effectively
  • Support the reporting and investigation of any incidents, near misses, complaints or concerns
  • Sharing personal data to select third parties in connection with any sale, transfer or disposal of our business and
  • Other general human resources purposes.

COVID-19

In order to safeguard our staff, doctors, patients and visitors (including all their families), you may be invited to take part in testing for SARS-CoV-2, which will be on-going until all government shielding and social distancing measures due to SARS-CoV-2 have been lifted.

Your nasal and throat swab sample will be couriered to the laboratory for processing. We will supply the laboratory with basic ID details (name and DOB) to allow them to process and track your swab test. Delegated members of the research team, Director of People and Culture and the Director of Operations will have access to your information and the data gathered from the swab. The results of the swab test will be communicated by the research team to the centre leader who will contact you should a positive result be received.  The laboratory, as Data Controller will have its own privacy policy and will protect and retain data in line with data protection legislation and national standards.

Alternatively, a finger prick test which takes a small amount of blood, may also be performed to support weekly testing. This will be collected directly into the point of care (POC) device by delegated staff in the Centre. POC antibody test results will not be shared with you and will only be accessed by the designated tester and the research team as part of the data collection process.

How do we obtain your information?

We collect information directly from you in person, over the telephone or on a form you have completed, such as a job application, contractual documentation or timesheet. We also receive information from external sources, for example, from current or previous employers, recruitment agencies, the GenesisCare occupational health provider, the Disclosure and Barring Service, or government bodies such as HM Revenue and Customs, the Department for Work and Pensions, or the UK Visas and Immigration.

Where do we store your information?

We use the GenesisCare Workday platform which provides self-service functionalities allowing you to complete, correct or remove the personal data you have added to your personal file in Workday.  Please note if you remove certain types of information, this may influence your relationship with us.  We recommend you check with the People & Culture (P&C) department before doing so.

You can also ask P&C to correct or remove your personal data at any time if the information is not accessible via the self-service functionality.

Who has access to your information?

Your personal data may be shared with colleagues who legitimately need the information to carry out their duties, such as your line manager and P&C staff.  The amount of personal information shared will be no more than is necessary.

Your name, job title, department or section, work email address and telephone number may be available in the GenesisCare internal staff directory.  This information may also appear on externally facing webpages and publications where appropriate to your role.

Your personal data may be accessed by other relevant GenesisCare departments such as finance, but only to the extent necessary to fulfil their respective tasks. GenesisCare Australia HR also has access to this personal data to provide functional support to the UK P&C department.

In exceptional cases, external employees of Workday may have access to your personal data to provide technical support and management support of the Workday platform to GenesisCare. GenesisCare has taken the required organisational and contractual measures to ensure that your personal data is only used for the purposes mentioned above.

If you are involved in supporting media relations, information about you and your role at GenesisCare may appear in our marketing materials, educational resources, presentations or within journalistic articles. These will be published online and within printed media, used in promotional material at events, advertising, broadcasting and educational platforms worldwide. You will always be informed if a media relations activity would benefit from your involvement and you will always have the right to object, if you wish.

Other than as mentioned below, we will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to our external payroll providers, pension or health insurance schemes.

Sharing your information with third parties

There are certain limited circumstances when we may need to share your personal and sensitive personal information with third parties, for example:

  • Pension providers and insurers
  • Auditors undertaking investigations
  • Regulators during enquiries, investigations and reporting
  • Where you have given our details as a referee, we will confirm dates and nature of employment to a prospective employer in a reference.

Contractors and Service Providers engaged by GenesisCare

We may also disclose your information to business partners and third-party suppliers working under contract to provide specific services on our behalf, for example:

  • Payroll processing
  • Occupational health services
  • Staff benefits
  • IT support
  • HR administrative services

Where this happens, suppliers are bound by strict contractual provisions and safeguards.  These companies have no right to use your information except on our behalf for the specified purposes or when required to do so by law.

How we will secure your personal data

We take privacy seriously and will ensure your personal data is appropriately secured and protected from being accidentally or deliberately compromised.

Those staff members managing the P&C function are trained to handle your data correctly and to protect your confidentiality and privacy.

We maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your data is never collected or sold for direct marketing purposes.

Technical and organisational measures we take to ensure the security of your information include:

  • An established network of individuals across the organisation who are accountable and responsible for information risk management
  • Existence of various organisational measures including policies and procedures, providing regular training in handling personal data lawfully and conducting regular compliance checks
  • Lockable rooms, cabinets, individual log in credentials, encryption and secure disposal of confidential waste
  • Ensuring only appropriate individuals have access to relevant and proportionate information about you
  • Restricted access to electronic systems and folders
  • Carrying out checks on third parties who process personal data on our behalf.

International transfers of your personal information

We are part of a global organisation and we (or third parties acting on our behalf) may store or process personal information within the GenesisCare group of companies for administrative and management purposes. The group companies are located in Spain and Australia and the United States. This processing is based on our own or a third party’s legitimate business interests.

As a global organisation GenesisCare may engage global suppliers for the provision of services to the GenesisCare group of companies and such suppliers may also be located outside the UK.

Where we transfer your personal data to a third country or international organisation, we will ensure adequate safeguards and measures are in place to protect your personal data from unlawful use and ensure your fundamental rights are capable of being upheld. We would normally achieve this by:

  • Only transferring personal data to countries deemed capable of providing an adequate level of protection; or
  • Implementing Standard Contractual Clauses; and
  • Adopting technical, organisational and contractual measures, where required

In certain situations, it may be possible to legitimise the transfer by relying on a derogation. For example, if:

  • You have explicitly consented to the proposed transfer; or
  • The transfer is necessary for the performance of a contract.

In all cases any transfer of your personal information will be compliant with applicable data protection law. If you would like further information regarding the steps we take to safeguard your personal information when making international transfers, please contact the DPO using the details at the foot of this Privacy Notice.

Your rights and your data

If in the future, if we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information prior to commencing the activity.

Under the General Data Protection Regulation (GDPR), you have a number of rights with regard to your personal data. These are:

  • The right to be informed about how your information is used
  • The right to access your information
  • The right to have your personal data rectified or completed
  • The right to lodge a complaint with the Information Commissioners Office if you believe that we have not complied with the requirements of the data protection legislation.

In certain circumstances, you also have the right to:

  • Object to the processing of personal data
  • Request a restriction on further processing
  • Request your personal data is erased
  • To withdraw your consent (where consent is relied upon)
  • Request that we transfer your information you gave us to another organisation.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time to ensure that it remains accurate. In the event that these changes result in any material difference to the manner in which we process your personal data we will signpost you to the specific changes.

Information Commissioners Office (ICO)

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, for example if you are unhappy with the way that we have dealt with a request from you to exercise your rights, or if you think we have not complied with our legal obligations.

Whilst you are not obliged to do so, we would appreciate you making us aware of any issue prior to notifying the ICO and giving us the opportunity to respond. Please contact the BPC DPO whose details are at the foot of this privacy notice.

Making a complaint will not affect any other legal rights or remedies that you have.

Information Commissioner’s Office, at casework@ico.org.uk, or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or telephone 0303 123 1113 (local rate call).  Website: https://ico.org.uk/

Questions and queries

If you have any queries or would like to exercise your rights or to establish whether any rights apply to you, please contact:

Or write to
Birmingham Prostate Clinic
Parkway Hospital
Damson Parkway
Solihull
B91 2PP

Data Protection

If you have any questions about this privacy notice or how we handle your personal data please contact the DPO:

 

Lawful Basis for Processing Personal Data and Retention Periods

 

Record TypeRetention PeriodLawful Basis for Processing the Personal DataLawful basis for processing special categories of personal data
Unsuccessful applications.6 monthsArticle 6 (1) (b) – necessary for the performance of a contract

 

n/a
Timesheets2 years
Roster6 years
Salaries paid to staff10 years
Staff Record – this includes (but is not limited to) evidence of right to work, security checks, training records and recruitment documentation for the successful candidate including job adverts and application forms.May be destroyed 6 years after the staff member leaves or the 75th birthday, whichever is sooner, if a summary has been made.Article 6 (1) (b) – necessary for the performance of a contract

 

Article 9 (2) (b) – necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

 

Article 9 (2) (f) necessary for the establishment, exercise or defence of legal claims

 

Article 9 (2) (h) – necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Staff Record Summary

 

6 years after the staff member leaves
Health assessments including reports from Occupational HealthKeep until 75th birthday or 6 years after the staff member leaves whichever
Occupational Health Report of Staff member under health surveillance where they have been subject to radiation doses50 years from the date of the last entry or until 75th birthday, whichever is longer

 

 

Exposure monitoring information40 years/5 years from the date of the last entry made in it
Industrial relations including tribunal case records10 years
Fraud case files6 years·         Data Protection Act 2018 Schedule 1, Part 2, Paragraph 10 – Preventing or detecting unlawful acts·         Data Protection Act 2018 Schedule 1, Part 2, Paragraph 10 – Preventing or detecting unlawful acts
Litigation records10 yearsArticle 6 (1) (c) – processing is necessary for compliance with a legal obligation

 

Article 9 (2) (f) necessary for the establishment, exercise or defence of legal claims
Subject Access Requests3 years or where an appeal has been made, 6 years·         Data Protection Act 2018 Schedule 1, Part 2, Paragraph 6 (2) (a) – necessary for the exercise of a function conferred on a person by an enactment or rule of law
IncidentsIncidents (serious) – 20 years

Incidents (not serious) -10 years

Article 9 (2) (h) – necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
Employee surveysFeedback is anonymisedArticle 6 (1) (f) necessary for legitimate interests for the purposes of capturing your views as an employee, benchmarking and to allow us to implement changes in response to anonymised feedbackn/a
COVID-19 Consent Forms6 yearsArticle 6(1)(a) – you have given consent for us to process your personal data for a specific purposeArticle 9(2)(a) – you have given your explicit consent to the processing of your special category personal data
Media relations activities6 years from the date the material was last usedArticle 6 (1) (f) necessary for legitimate interests for the purposes of publicity, marketing, educational and journalistic purposes of GenesisCaren/a