Data Controller - Dartford Borough Council, Civic Centre, Home Gardens, Dartford, Kent DA1 1DR
Data Protection Officer - Marie Kelly-Stone, Head of Legal Services, Dartford Borough Council, Civic Centre, Home Gardens, Dartford, Kent DA1 1DR: Email: email@example.com
Processing activity - The Council is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your working relationship with us.
This privacy notice tells you what to expect when we collect personal information about you. It applies to all employees, ex-employees, agency staff, contractors, interns and secondees. However, the information we will process about you will vary depending on your specific role and personal circumstances.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated or new purpose, we will notify you and we will explain the legal basis, which allows us to do so. Please note that we will if necessary, process your personal information without your knowledge or consent, where this is required or permitted by law. When appropriate, we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.
This privacy notice does not form part of any contract of employment or other contract to provide services.
Sources of information - we typically collect personal information about you from a number of sources including:
- directly from you
- from an employment agency
- from your employer if you are a secondee
- your doctor
- from referees, either external or internal
- from the Disclosure Barring Service
- from Occupational Health and other health providers
- from pension administrators and other government departments, for example tax details from HMRC
- from your Trade Union
- from providers of staff benefits
- CCTV images taken using our own CCTV systems
We may collect additional personal information in the course of job-related activities throughout the period of you working for us.
If you fail to provide certain information when requested, we will not be able to fully perform the contract we have entered with you (such as paying you or providing a benefit), or we could be prevented from complying with our legal obligations (such as to ensure the health and safety of our employees).
Information requirements - In general terms, we process personal information relating to:
1. Your employment - we use the following information to carry out the contract we have with you, provide you access to business services required for your role and manage our human resources processes:
- personal contact details such as your name, address, contact telephone numbers (landline and mobile) and personal email addresses
- your date of birth, gender and NI number
- a copy of your passport or similar photographic identification and / or proof of address documents
- marital status
- next of kin, emergency contacts and their contact information
- employment and education history including your qualifications, job application, employment references, right to work information and details of any criminal convictions that you declare
- location of employment
- details of any secondary employment, political declarations, conflict of interest declarations or gift declarations
- disclosure barring service checks according to your job
- any criminal convictions that you declare to us
- your responses to staff surveys if this data is not anonymised.
- your political declaration form in line with our policy and procedure regarding party political activities
- evidence of your right to work in the UK/immigration status
2. Salary, pension and loans - we process this information for the payment of salaries, pensions and other employment related benefits for our staff and for staff employed by Sevenoaks District Council under the shared services arrangement for Environmental Health, Internal Audit and Fraud and Revs and Bens. We also process information for the administration of statutory and contractual leave entitlements such as holiday or maternity leave:
- information about your job role and your employment contract including; your start and leave dates, salary (including grade and salary band), any changes to your employment contract, working pattern (including any requests for flexible working)
- details of your time spent working and any overtime, expenses or other payments claimed, including details of any loans such as for travel season tickets
- details of any leave including sick leave, holidays, special leave etc.
- pension details including membership of both state and occupational pension schemes (current and previous)
- your bank account details, payroll records and tax status information
- Trade Union membership for the purpose of the deduction of subscriptions directly from salary
- details relating to maternity, paternity, shared parental and adoption leave and pay. This includes forms applying for the relevant leave, copies of MATB1 forms/matching certificates and any other relevant documentation relating to the nature of the leave you will be taking
3. Performance and training - we use this information to assess your performance, to conduct pay and grading reviews and to deal with any employer/employee related disputes. We also use it to meet the training and development needs required for your role:
- information relating to your performance at work eg: probation reviews, appraisals, performance development reviews, promotions
- grievance and dignity at work matters and investigations to which you may be a party or witness
- disciplinary records and documentation related to any investigations, hearings and warnings/penalties issued
- whistleblowing concerns raised by you, or to which you may be a party or witness
- information related to your training history and development needs
4. Health and wellbeing and other special category data - we use the following information to comply with our legal obligations and for equal opportunities monitoring. We also use it to ensure the health, safety and wellbeing of our employees:
- health and wellbeing information either declared by you or obtained from health checks, eye examinations, occupational health referrals and reports, sick leave forms, health management questionnaires or fit notes ie: Statement of Fitness for Work from your GP or hospital
- accident records if you have an accident at work
- location data (if you are a lone worker)
- details of any desk audits, access needs or reasonable adjustments
- information you have provided regarding protected characteristics as defined by the Equality Act 2010 for the purpose of equal opportunities monitoring - includes racial or ethnic origin, religious beliefs, disability status, and gender identification and may be extended to include other protected characteristics
- information about criminal convictions/allegations and offences
5. Compliance with corporate policies etc., security of our premises and electronic communications’ systems - we have implemented industry standard security measures to assist us to keep our systems and premises secure. These security measures are primarily focused on ensuring we can detect, block and respond to malicious software (malware) and intrusion attempts and to ensure we keep our business data and your personal data secure and confidential. The security measures implemented include:
- system security - automated scanning of incoming and outgoing emails, workstations, applications and our networks for potential threats. Threats, such as phishing emails, data leakage, presence of malware, non-compliance with our policies, or other unusual activity will be escalated to our I.C.T Services for review and response;
- logs and audit trails - logging and audit trail capabilities on all systems accessed by you (for example, passwords, physical access logs, system and transactional logs from applications, systems and communication channels etc.). We have implemented automated tools to record and monitor information about your usage of login credentials, access to applications and websites and other activities carried out by you while using our systems. The automated tools have been configured to protect confidential information (including personal data) and to ensure our systems are protected against malware and other threats. These tools will also alert our I.C.T Services of such threats and of any potential non-compliance with our policies. Given most of web traffic over our systems is encrypted, the automated tools that monitor for malware and data leakage may also decrypt this traffic to ensure the continued effectiveness of these controls. Additionally, activities of users who have privileged access to our systems might be subject to a higher level of monitoring by automated tools, given higher potential business impact in case of compromise/misuse of such credentials. From time to time, we may also share the audit logs containing information about the activities performed by users on our systems to third parties who provide information security related services to us, in order to investigate any system issues or data breaches;
- CCTV - we operate CCTV to help keep our premises secure. Images of you may be captured as part of the CCTV operation. We only view images where an incident has occurred on our premises. Any targeted monitoring of staff will take place within the context of our disciplinary procedures;
- Peoplesafe - if you are a lone worker, you may be exposed to personal danger from work-related violence, verbal abuse, accidents, illness or injury. As an employer, we have a duty of care to our employees to protect them from unnecessary risk. We have licenced personal safety alarms (GPS locating technology, two-way voice communications, memo function and ‘Man Down) to enable you to summon help in the event of an incident that threatens your wellbeing.
This processing is necessary for the purposes of the legitimate interests pursued by us to keep our business data and your personal data secure and confidential and/or defend our legal rights and in some cases, to comply with our duty of care to protect you from harm, but not infringe your reasonable expectation of privacy.
Lawful bases1 - our lawful bases for processing your personal information are:
- UK GDPR Article 6(1)(b) - for the performance of a contract. In addition, we rely on the processing condition at Schedule 1, part 1, paragraph 1 of the Data Protection Act 2018 i.e. the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us or on you
- UK GDPR Article 6(1)(e) - for the performance of our public task or in the exercise of official authority. In addition, we rely on the processing condition at Schedule 1, part 2, paragraph 6(2)(a) of the Data Protection Act 2018 i.e. this applies to carrying out Disclosure Barring Service checks
- UK GDPR Article 6(1)(f) - for the purposes of our legitimate interest (we can use ‘legitimate interests’ if we can demonstrate that the processing is for purposes other than for performing our tasks as a public authority). In this context, see section 5 above
UK GDPR Article 6(1)(c) - so we can comply with our legal obligations as your employer
If you provide us with any information about reasonable adjustments, you require under the Equality Act 2010 the lawful basis we rely on for processing this information is UK GDPR Article 6(1)(c), to comply with our legal obligations under the Act.
The lawful basis we rely on to process any information you provide which is special category data, such as information about your race or ethnicity, religious beliefs, sexual orientation, political opinions, trade union membership, information about your health, including any medical condition, health and sickness records, is UK GDPR Article 9(2)(b), which relates to our obligations in employment and the safeguarding of your fundamental right and Schedule 1, Part 1(1) of the DPA2018 which again relates to processing for employment purposes.
We process information about criminal convictions and offences. The lawful basis we rely on to process this data is UK GDPR Article 6(1)(e) for the performance of our public task. In addition, we rely on the processing condition at Schedule 1, Part 2, paragraph 6(2)(a) of the DPA 2018. We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to act in accordance with our regulatory and other legal obligations. Although this will be rare, we may also use information relating to criminal convictions where it is necessary in relation to legal claims.
We have a Data Protection Policy that sets out how special category data and criminal convictions and offences will be handled.
Data processors - we have a licence with Peoplesafe (formerly Skyguard) for the use of personal safety devices. Peoplesafe is our data processor (see section 5 above). We have a shared service arrangement with Mid Kent Services (hosted by Maidstone Borough Council) to provide our payroll service (see section 2 above). Mid Kent Services is our data processor.
We use Health Management to provide our Occupational Health service. We may ask Health Management to assess your working capacity. The information you provide will be held by Health Management, who will give us a report with recommendations. You are able to request to see the report before it is sent to us.
We use other service providers who act as our data processors:
- AVCWise (the administrators of Shared Costs AVCs)
- Prudential/Standard Life (the providers of Shared Cost AVCs)
- Health Management – our occupational health service (workstation assessments)
- Posturite – workstation assessments
- Health Assured – our employee assistance programme
- JELF – our insurance broker
- BUPA – our private healthcare provider – where you are a member of BUPA
- Sodexo – our childcare voucher provider
- PM&M – our employee benefits provider
- uCheck – our DBS check provider
Kent Pension Fund administers the Local Government Pension Scheme, of which we are a member organisation. If you are enrolled in the pension scheme, details provided to Kent Pension Fund will be your name, date of birth, national insurance number and salary.
Our data processors are only permitted to process your personal information in accordance with our written instructions.
Data sharing - in some circumstances, such as under a court order, we are legally obliged to share information. We may also share information about you with third parties including government agencies, service providers and external auditors. For example, we may share information about you with HMRC for the purpose of collecting tax and national insurance contributions, with a service provider to assist us in disciplinary proceedings and with the Cabinet Office, as part of the National Fraud Initiative.
We may rely on a number of exemptions, which allow us to share information, having identified a lawful basis. Please refer to the Kent and Medway Information Agreement for further details on our sharing arrangements.
Retention period - We keep your personal information for the minimum period necessary. The information outlined in this Privacy Notice will be kept in accordance with the retention period(s) referred to in our Human Resources and Payroll Services Information Asset Register unless exceptional circumstances require longer retention eg: pending legal action. All information will be held securely and disposed of confidentially.
Your right to object - where processing your personal information is required for the performance of a public interest task (see our lawful bases above), you have the right to object on ‘grounds relating to your particular situation’. We will have to demonstrate why it is appropriate for us to continue to use your personal data. You must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. We can refuse to comply if:
- we can demonstrate compelling legitimate grounds for the processing, which override your interest and other rights; or
- the processing is for the establishment, exercise or defence of legal claims.
You can also object to our processing where we are relying on the ‘legitimate interest’ lawful basis. The burden is on us to prove that we have compelling grounds to continue processing the data.
Your rights - This Privacy Notice should be read in conjunction with our Corporate Privacy Notice, our Privacy Notice for Human Resources and Payroll Service and our Privacy Notice for Candidate Application and Recruitment Process. Please refer to our Corporate Privacy Notice for further information on your rights.
Changes to this Privacy Notice – this Privacy Notice will be regularly reviewed and updates placed on the intranet and the website.
1Note that we may process your personal information on more than one lawful basis depending on the specific purpose for which we are using your information accordance with our Data Protection Policy.
2Note that we may process your personal information on more than one lawful basis depending on the specific purpose for which we are using your information.
GDPR Employees Privacy Notice 2020