Our Human Resources (usually referred to as HR) supports and manages our employees and associated processes. It is seen as a core business function essential to our effective operation including managing the relationship between us an employer and you. The payment of salaries, pensions and other employment related benefits referred to in this privacy notice also apply to staff employed by Sevenoaks District Council under the shared services arrangement for Internal Audit and Fraud and Revs and Bens.
Most of the personal information we hold about you is provided by you. The information collected and held will vary depending on the purpose for which you are providing your personal information.
Processing activity - we will process personal information relating, but not limited to:
- employee relations, including resource planning, recruitment, termination, absence monitoring, health management, equal opportunities and succession planning
- HR budgetary and financial planning and administration
- organisational planning and development and workforce management
- compensation, payroll and benefit planning and administration, including salary, tax withholding, tax equalisation, awards, insurance, pensions, attachment of earnings, council tax
- workforce development, education, training and certification
- performance management
- problem resolution, including carrying out internal reviews, grievances, investigations and disciplinary and appeal hearings
- business travel and expense management
- business reporting and analytics
- administration of flexible work arrangements
- administration of employee enrolment and participation in activities and programmes offered to eligible employees, including wellness activities
- work-related injury and illness, including the management of employee health and safety and disabilities
- HR helpdesk support and case management
- to communicate with you and to facilitate communication between you and other people
- compliance and compliance reporting, including conflicts of interest and gifts and hospitality reporting
- risk management
- project management
- authorising, granting, administering, monitoring and terminating access to or use of our or third party facilities, records, property and infrastructure including communications services such as business telephones and email/internet use
- security passes and CCTV
Information requirements - our processing activities may include:
- telephone and email
- date of birth
- marital status
- sexual orientation
- preferred language
- details of any disabilities
- passport and/or driving licence details
- interview notes
- work visas
- next of kin
- records/results of pre- employment checks, including criminal record checks (DBS), credit and fraud checks
- pension information
- CVs, resumes and/or application forms
- references, records of qualifications, skills, training and other compliance requirements
- letters of offer and acceptance of employment, your employment contract, job descriptions
- bank account details, national insurance number, tax code, attachment of earnings, P45/tax declaration
- salary information
- length of service information
- health information/medical conditions/diagnosis/health screening
- covid-19 test results and vaccination status
- absence records
- leave requests
- employee identification number
- computer or facilities access and authentication information, identification codes, passwords, answers to security questions
- risk assessments
- performance ratings, leadership ratings, targets, objectives, records of performance reviews, records and/or notes of 1 to 1s and other meetings, personal development plans, personal improvement plans, correspondence and reports
- interview/meeting notes or recordings, correspondence
Lawful basis1- our lawful bases for processing your personal information is that it is necessary:
- UK GDPR Article 6(1)(b) - for the performance of a contract. In addition, we rely on the processing condition at Schedule 1, part 1, paragraph 1 of the Data Protection Act 2018 i.e. the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us or on you
- UK GDPR Article 6(1)(e) - for the performance of our public task or in the exercise of official authority. In addition, we rely on the processing condition at Schedule 1, part 2, paragraph 6(2)(a) of the Data Protection Act 2018 e.g carrying out Disclosure Barring Service checks
- UK GDPR Article 6(1)(f) - for the purposes of our legitimate interest (we can use ‘legitimate interests’ if we can demonstrate that the processing is for purposes other than for performing our tasks as a public authority)
- UK GDPR Article 6(1)(c) - so we can comply with our legal obligations as your employer
If you provide us with any information about reasonable adjustments, you require under the Equality Act 2010 the lawful basis we rely on for processing this information is UK GDPR Article 6(1)(c), to comply with our legal obligations under the Act.
The lawful basis we rely on to process any information you provide which is special category data, such as information about your race or ethnicity, religious beliefs, sexual orientation, political opinions, trade union membership, information about your health, including any medical condition, health and sickness records, is UK GDPR Article 9(2)(b), which relates to our obligations in employment and the safeguarding of your fundamental right and Schedule 1, Part 1(1) of the DPA2018 which again relates to processing for employment purposes.
We process information about criminal convictions and offences. The lawful basis we rely on to process this data is UK GDPR Article 6(1)(e) for the performance of our public task. In addition, we rely on the processing condition at Schedule 1, Part 2, paragraph 6(2)(a) of the DPA 2018. We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to act in accordance with our regulatory and other legal obligations. Although this will be rare, we may also use information relating to criminal convictions where it is necessary in relation to legal claims.
We have a Data Protection Policy that sets out how special category data and criminal convictions and offences will be handled.
If we use your information for a reason other than to further an employment contract (for example given the importance of staff and property security, CCTV cameras are an effective way to protect our staff against assault and harassment and prevent property related crimes. Business security passes provide an additional defence against intruders), then we generally do this based on our legitimate business interests. Before doing this, though, we will always carefully consider and balance any potential effects on you and your rights, to ensure that we do not infringe your reasonable expectation of privacy. We have a Legitimate Interests Policy that sets out how this information will be handled.
We have a duty of care towards you and your colleagues and obligations under health and safety legislation. We may request staff to undertake lateral flow tests before attending the workplace. Such requests, in consultation with you, will be dealt with on a case by case basis, dictated by fact specific circumstances, such as the nature of your work and any evidence on the necessity of testing in the particular environment.
Data processors - we have a shared service arrangement with Mid Kent Services (hosted by Maidstone Borough Council) to provide our payroll service. Mid Kent Services is our data processor.
We use Health Management to provide our Occupational Health service. We may ask Health Management to assess your working capacity. The information you provide will be held by Health Management, who will give us a report with recommendations. You are able to request to see the report before it is sent to us.
We use other service providers who act as our data processors:
- AVCWise (the administrators of Shared Costs AVCs
- Prudential/Standard Life (the providers of Shared Cost AVCs)
- Health Management – our occupational health service
- Posturite – workstation assessments
- Health Assured – our employee assistance programme
- JELF – our insurance broker
- BUPA – our private healthcare provider – where you are a member of BUPA
- Sodexo – our childcare voucher provider
- PM&M – our employee benefits provider
- uCheck – our DBS check provider
Kent Pension Fund administers the Local Government Pension Scheme, of which we are a member organisation. If you are enrolled in the pension scheme,details provided to KentPension Fund will be your name, date of birth, national insurance number and salary.
Our data processors are only permitted to process your personal information in accordance with our written instructions.
Data sharing - your personal information may be shared with and/or obtained from:
- Unison - where you have requested your membership be paid through payroll
- any other union that you may be a member of
- council department(s)
- training and development providers
- HM Revenue and Customs
- ACAS (employment tribunal related activities)
- Cabinet Office (as part of the National Fraud Initiative)
- Office of National Statistics
- service providers
We may rely on a number of exemptions, which allow us to share information, having identified a lawful basis. Please refer to the Kent and Medway Information Agreement for further details on our sharing arrangements.
Retention period - we keep your personal information for the minimum period necessary. The information outlined in this Privacy Notice will be kept for six years from the date of file closure although certain information may need to be kept for a longer period to comply with legislative requirements. All information will be held securely and disposed of confidentially.
Data portability - you have the right to obtain from us and reuse personal information you have provided to us (in automated form) for your own purposes by asking us to move, copy or transfer your personal information from one IT environment to another, in a safe and secure way without hindrance to user ability. However, we can only offer data portability where we are able to as we may be subject to system restrictions.
Anonymisation - your personal information may be converted ('anonymised') into statistical or aggregated data in such a way that ensures that you cannot be identified from it. Aggregated data cannot, by definition, be linked back to you as an individual and may be used to conduct research and analysis, including the preparation of statistics for use in our reports.
Right to object – where processing your personal information is required for the performance of a public interest task (see our lawful bases above), you have the right to object on ‘grounds relating to your particular situation’. We will have to demonstrate why it is appropriate for us to continue to use your personal data. You must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. We can refuse to comply if:
- we can demonstrate compelling legitimate grounds for the processing, which override your interest and other rights; or
- the processing is for the establishment, exercise or defence of legal claims.
You can also object to our processing where we are relying on the ‘legitimate interest’ lawful basis. The burden is on us to prove that we have compelling grounds to continue processing the data.
Changes to this Privacy Notice - we review this Privacy Notice regularly and will place updates on our website.
Please refer to our Corporate Privacy Notice, Privacy Notice for Candidate Application & Recruitment Process and our Privacy Notice for Employees, for further details of how we process your personal information and for details on your additional rights.
1 Note that we may process your personal information on more than one lawful basis depending on the specific purpose for which we are using your information
GDPR/Privacy Notices/Human Resources and Payroll Services Privacy Notice