Staff privacy notice

Staff information

The purpose of this privacy notice is to inform staff employed/contracted by mhs homes group about the nature and source of any information processed about them, how it will be used, who it will be disclosed to, how we keep it secure and confidential, and staff rights.

For the purposes of this Privacy Notice, ‘staff’ includes applicants, all employees, workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

During the course of our activities the mhs homes will process (obtain, record, hold, use and disclose) personal and special category data (previously known as sensitive data) about our prospective, current and former staff. Personal data is defined as any information relating to a living identified or identifiable natural person who can be identified directly or indirectly from the information. Special Category data is defined as sensitive personal data and incorporates:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Health data
Data regarding an sexual orientation
Genetic and biometric data used for the purpose of identifying an individual

At times we might also collect and hold criminal offences and or convictions data, which will be processed under the Data Protection Act.

For more information on the types of data held please see the types of data handled section below and the data flows table at the end of this document.

We only process your personal and special category data where we have your consent or another legal basis to do so, and where processing can be justified under the UK General Data Protection Regulations / Data Protection Act 2018 (DPA). These include circumstances where the processing is necessary for performance of staff contracts with mhs homes or for compliance with any legal obligations that apply to mhs homes as your employer.

What laws are relevant to the handling of personal data?

The law determines how organisations can use personal and special category data. The key legislation governing the use of data is listed below:

The UK General Data Protection Regulations
The Data Protection Act
The Human Rights Act 19
Freedom of Information Act 20
Computer Misuse Act 19
Audit Commission Act
Regulation of Investigatory Powers Act 200
Access to Health Records Act 199

The above key legislation stipulates requirements regarding the use of your personal and special category data; however, the law is primarily set out in the Data Protection Act (DPA) 2018. For the purposes of the DPA, mhs homes is the “Controller” (the person or group of people who decide how any and why data is processed) of staff information.

Everyone working for mhs homes has a legal duty to keep information about you confidential and comply with the Common Law Duty of Confidence. The information we do hold about you, whether in paper or electronic form, is therefore protected from unauthorised access.

What types of personal and/or special categories data do we handle?

In order to carry out activities and obligations as an employer we may process your personal and special category data, such as:

Confirmation of your identity (such as photographs and a copy of your driving licence or passport)
Information about your remuneration (such as bank account details, payroll records, tax status information, salary history, pension and benefits)
Personal details such as name, date of birth, material status, national insurance number
Personal demographics (the protected characteristics contained in the Equality Act)
Contact details such as names, addresses, telephone numbers. Emergency contact(s)
Personal mobile numbers which may be used to contact you in case of an emergency or a major incident affecting mhs homes
Education and training
Employment records (including professional membership, references and proof of eligibility to work in the UK)
Information about your employment with us (such as start and end date, location of employment / workplace, holiday entitlement and requests, records of absences and information around resignation or termination of employment)
Recruitment information (such as copies of right to work documents, professional qualifications, language capabilities, training courses attended, references and other information included in a CV or cover letter or as part of the application process)
Information about your previous employment (such as job titles, work history, working hours, training records, professional memberships, salary / compensation history)
Your performance with us (such as appraisal information, performance reviews and colleague and customer feedback)
Information relating to benefits (such as occupational health records and referrals, sick pay, pensions, insurance and parental leave)
Vehicle information (such as driving licence number, vehicle registration and driving history)
Medical information including physical health or mental health
Information relating to health and safety
Employment Tribunal applications, complaints, accidents, and incident
Information about your use of our information and communications systems (such as emails, calls, correspondence and other communications)
Trade union membership
Offences (including alleged offences), criminal proceedings, outcomes and sentences
Disciplinary and grievance information
Security information (such as CCTV footage and key card information)

What is the purpose of processing data?

We only process your personal and special categories data where we have your consent or where the processing can be legally justified under data protection legislation. These include circumstances where the processing is necessary for the performance of staff contracts with us or for compliance with any legal obligations which apply to the mhs homes as your employer. These obligations may include (but are not limited to):

Staff administration (including payroll), including recruitment and selection
Pension administration
Business management and planning
Accounting and Auditing
Accounts and records
Crime prevention and prosecution of offend
Educating
Health administration and services
Information and databank administration
Sharing and matching of personal information for national fraud initiatives
Carrying out of our Staff Surveys
Administration of our optional benefits including but not limited to paying for Socialites trips, holiday homes, medicash medical insurance ; buying or selling annual leave, cycle to work, colleagues saving club, give as you earn

Sharing your information

There are a number of reasons why we share information. This can be due to:

Our obligations to comply with current legislation or regulation
Our duty to comply with any Court Order which may be imposed

Any disclosures of personal and special category data are always made on a case-by-case basis, using the minimum data necessary for the specific purpose and circumstances, and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal and special category data to such persons.

In order to comply with our obligations as an employer we will routinely need to share your information as follows.

Payroll Administration (MHR)

The payroll of mhs homes group is is managed by a Processor, Midland HR (MHR). A Processor is a person or body that processes personal data on behalf of the Controller (mhs homes). Your personal information will be made available to MHR through itrent (see below) in order to allow them to pay your salary and any associated expenses and to comply with our legal and statutory obligations, including the management of absence monitoring. From time to time we will need to share information with MHR in order to ensure that they deliver the services we require.

Management of Employee Staff Record (MHR itrent) including training and expenses

In order to maintain your employment records, the information which you provide to the mhs homes during the course of your employment will be held MHR itrent system. Your personal and special category data may also be used to fulfil other employer responsibilities, for example, by maintaining appropriate occupational health records, complying with health and safety obligations, carrying out any necessary security checks, and all other employment related matters. In addition, the information held may be used in order to send to you information which is relevant to our relationship with you.

Your information will only be disclosed as required by law or to our appointed agents and/or service providers who may be used for a variety of services; for example, processing of payroll, provision of pensions administration.

Other bodies

We may also share information with other bodies that inspect and manage public funds. We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation. We may obtain and share personal data with a wide variety of other bodies, which may include, but is not limited to:

Her Majesty's Revenue and Customs (HMRC) e.g. the HMRC request information on individuals employed by the mhs homes such as their name, contact details, salary information and payroll information
Disclosure and Barring Service – this is managed through Powys Country Council on behalf of mhs homes and staff requiring a DBS check must provide name, contact details (current and previous), date of birth (DOB), National Insurance number, passport and driving license information and job role details
Home Office
Child Support Agency
Central government, government agencies and departments e.g. Job Centre Plus who may require information on whether an individual is employed by the mhs homes
Other local authorities and public bodies
Ombudsman and other regulatory authorities
Courts/Prisons
Financial institutes for e.g. banks and building societies for approved mortgage references
Credit Reference Agencies
Educational, training and academic bodies
Law enforcement agencies including the Police, the Serious Organised Crime Agency
Emergency services e.g. The Fire and Rescue Service
Auditors e.g. RSM or internally
Department for Work and Pensions (DWP)
The Assets Recovery Agency
Office of National Statistics (ONS) – The ONS carry out an Annual Survey of Hours and Earnings where they randomly select staff and the mhs homes is required to provide information under the Statistics of Trade Act 1947. The information provided includes name, National Insurance number, job title, role details, contact details, payroll and salary details and pension details
Employers requesting references
All Health Matters for Occupational health
Aviva Pension – staff will be auto-enrolled onto our employee backed pension scheme details shared as the individual’s name, contact details, job title and National Insurance number and salary details. Information is also shared with Kent County Council who administer the Local Government Pension Scheme for those staff still making contributions to this
Relatives or guardians of an employee where there is a legal duty to do so

Withdrawing consent

If we are relying on your consent to process your data, you may withdraw your consent at any time by contacting us in your preferred way.

Personal and/or special categories staff information held by the mhs homes

Finance

Information held for the purposes of payroll audits – held by mhs homes Finance Team - includes items of personal data such as your name, your employee number, and salary. The information held is used to make sure that staff employed by the mhs homes are on the correct salary and there are no issues with over or under payments. This information may also be shared with line-managers.

Information will also be required for budget setting and monitoring. Additionally, payroll information will be required for the production of the annual report. If you sign up to the Childcare Voucher scheme, you will be required to provide your name, contact details, national insurance number and payroll number to Childcare Vouchers. This information will also be accessible to the HR Team.

Recruitment

When someone applies for a job at the mhs homes they do so through the mhs homes jobs website which is run by Job Train and hosted by Job Train. Information is collated there and submitted to mhs homes for downloading. Following this the data is retained for 12 months and then automatically deleted from the site. Details will only be downloaded to share with recruiting managers for shortlisting and interviews.

Recruitment information – held by mhs homes includes items of personal data such as your name, DOB, address, qualifications and potentially special categories data such as disclosure and barring service self-declaration form details, Occupational Health data and personal references (information held by HR is usually disclosed by yourself or nominated persons providing your reference/s).

Information held is used for the administrative purposes of recruitment and selection. Where we disclose information to a third party, for example where we want to take up a reference or obtain a disclosure from the Disclosure and Barring service, we will not do this without informing you beforehand, unless the disclosure is required by law.

Personal confidential data about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed. It will then be destroyed or permanently deleted. Once a person has taken up employment with us we will create a file relating to that persons employment on itrent. Once their employment with us has ended, we will retain the file in accordance with our records management retention schedule.

Further information on individual’s rights, including the right to erasure is included below. Please contact the mhs homes Data Protection Officer for further information.

Workforce diversity data

Workforce data held by the mhs homes includes details of your protected characteristics as defined by the Equality Act 2010, which are age, disability, gender re-assignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation (disclosed by yourself during the course of your employment). Information held is used for the purpose of monitoring the mhs homes equality performance and the diversity of its workforce. This type of information would be stored within itrent and on secure separate spreadsheets.

Training information

Here at mhs homes we collate data such as names and training courses information (training log) to monitor compliance with mandatory training and to identify training needs. We use a system that is managed by Midland HR and powered by Docebo.

Employee relations

Details of any employee relations cases that have been supported by HR are recorded on itrent and in the HR Shared Drive, including records of long-term sickness management, capability reviews, suspensions, disciplinary and grievances (provided by you or your line manager during your course of employment). Information held is used for the purposes of supporting and documenting your employment.

Occupational health

Occupational Health services are provided by All Health Matters on behalf of mhs homes. Data held by the occupational health services provider – includes items of personal and special categories data (disclosed by yourself on your health declaration form or provided by you or your line manager during your course of employment). Information held is used for the purposes of ensuring that you are ‘fit for work’ and also to ensure you have the appropriate support in the workplace if you have a particular health need. If you wish to be referred for counselling, this is a self-referral process whereby you will share your personal details with the Employee Assistance Programme administered by Health Assured. HR will only share your details with Health Assured on your behalf when you have explicitly requested this.

Personnel file

Information held within staff personal files includes items of personal and/or sensitive data (gathered from yourself or other sources during the course of your employment) such as name, address, telephone number, sickness records, records of appraisals, records of capability reviews, HR change forms, details of grievances and disciplinary. Information held is used for the purposes of supporting and documenting your employment.

How information may be used and who it may be disclosed to

Any personal and special categories data which we obtain and hold will only be used (in an identifiable format) for the purpose for which it was given to us, unless we seek your permission to use it for something else or have another legal basis to do so; and
If there is a requirement to disclose information we collected for one purpose for a different purpose, generally we would only do this with your explicit consent unless there was another legal basis which permitted disclosure (e.g. statute as in the case of sharing tax information with the tax office, a court order, risk of harm to yourself or another person, or disclosure required in the wider public interest in cases of serious crimes).

When we may publish your information

There are certain circumstances where the mhs homes is required to publish your information as follows:

Leadership team

Certain senior members of staff will have their name, role, photos and a bio added to the website.

Annual report

Certain senior members of staff will have their name, role, salary and pensions entitlements published annually as part of the mhs homes Annual Report.

How we store your data

Your personal data is held in both hard copy and electronic formats.

Electronic data, including emails, is stored on mhs homes’ servers and on our software suppliers’ servers, which are in the European Union.

International safeguards

The information you provide us with will not be disclosed by us outside of the United Kingdom or European Economic Area, unless there are appropriate safeguards in place, including contracts and requiring any third party to adhere to those. All our contracts with suppliers state that they must seek our permission before transferring data outside of the United Kingdom. However, if we do discover that any of our suppliers aren't compliant and they're storing data outside of the UK without our permission, we'll rectify this as soon as we can.

How long we keep your data

Some of our retention periods are based on legal requirements, and others are based on the practical reasons we need to keep the data for a certain period. Information about how long we hold your data for can be found in our Data Retention Schedule, which can be requested from our DPO.

Once we reach the retention limit , we will securely delete all relevant data, unless:

we are legally required to keep it longer, or
there are lawful reasons why we need to keep it longer

How we look after your information

We take our duty to protect your personal confidential data very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of the data for which we are responsible, whether computerised or on paper.

Our Protection Officer (DPO) is responsible for the day-to-day management of Information Governance and ensuring that mhs homes complies with its obligations under data protection legislation.

The mhs homes Data Protection Officer can be contacted at Data.Protection@mhs.org.uk, write to mhs homes, Broadside, Leviathan Way, Chatham, Kent, ME4 4LL or call 01634 565333.

If you have any queries about this notice or anything related to data protection, you can contact our Data Protection Officer (DPO) using the above address. It is important to remember both mhs homes Ltd (Z629086) and Heart of Medway Housing Association (ZA079387) are registered with the ICO.

We are committed to ensuring that personal and special category data is kept confidential and secure and used appropriately, and everyone working for mhs homes has a contractual and legal duty to protect your information.

The confidentiality and security of personal and special category data is of paramount importance to mhs homes and we strive to ensure that all such information under our control is handled in accordance with all legal, professional and ethical obligations.

All staff have a responsibility to ensure that the policies and procedures are adhered to. Staff members are provided with mandatory annual Data Protection training to enable them to fulfil their obligations.

Access to identifiable information is strictly controlled and limited to only those with a legitimate need to access it (to enable them to fulfil their job role)
Personal and special categories data is held in accordance with the requirements of the DPA 2018. We will not hold information any longer than is necessary, and when the relevant retention period has been reached, we will review the records and either retains the data for longer if required, or dispose of it in a secure way
Anyone who receives personal or special category data from us is also under a legal duty to keep it confidential and secure as per the requirements of the DPA 2018. In instances where mhs homes holds contracts for services, we ensure the data sharing agreements and monitoring in place provide sufficient assurance regarding the protection of your personal and special categories data
This Privacy Notice does not provide exhaustive detail of all aspects of our collection and use of personal confidential data. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the Data Protection Officer using the contact details above

Your rights regarding the information we hold about you

The DPA 2018 provides staff with rights regarding their own personal data, including the right to find out what personal data is held on computer and in paper records, and to view or be provided with a copy of this data within one month of receipt of such a request, this is called a Data Subject Access Request. In addition to the right of access, the DPA 2018 provides staff with the following rights:

The right to be informed
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling (currently mhs homes does not have any fully automated decision-making processes in place; should this change more details will be provided)
The right to complain, judicial remedies and compensations

For more information on our rights please visit our website.

For further information regarding your rights, please see Appendix 1.

What if the data we hold about you is incorrect?

It is important that the information which we hold about you is up to date. If your personal details change or if they are currently inaccurate then it is important that you either update your details in itrent or email the Human Resources team via HRteam@mhs.org.uk

Changes to our privacy notice: We keep our Privacy Notice under regular review and will inform staff of any changes.

Further information: For further information regarding your rights and how to exercise them, please see the data protection pages available via mhs homes intranet pages or you can also contact the Data Protection Officer using the details above.

Complaints

Please let us know if you have any complaints about the way your personal data has been handled. Please contact our Data Protection Officer data.protection@mhs.org.uk

You also have a right to complain to the Information Commissioner's Office (ICO) about the way in which we process your personal data. You can make a complaint on the ICO’s website.

Appendix 1

Purpose or activity	Purpose of the processing	Lawful basis for processing (Legitimate interests is no longer available to public authorities as a basis for processing in the performance of their tasks)	Categories of personal data	Source of data (is this publicly accessible?)	Processor of personal data (The person or organisation which processes personal data on behalf of the MHS HOMES).	Details of transfer to third country and safeguards	Retention period
Purpose or activity	Purpose of the processing		Categories of personal data	Source of data (is this publicly accessible?)		Details of transfer to third country and safeguards	Retention period	Financial transaction	Financial transactions such as payroll management, absence returns, travel claims, budget setting and monitoring, and financial audits include personal and/or sensitive data.	Article 6 (e) Public task Article (9) (2) provision of health or social care or treatment or the management of health or social care services.	Personal data and special category data including name, address, DOB, and healthcare information	Within the mhs homes.	Payroll services (provided by MHR, occupational health All Health Matters, UNISON, Charities Aid Foundation, AIG, Bupa, Towergate Insurance	None	6 years after the staff member leaves or 75th Birthday, whichever is sooner.
HR Processes	HR processes will include personal and/or special category data, such as: · Staff change forms · Recruitment and selection · Sickness reporting · Payroll Administration · Electronic Staff Records · Occupational Health and Counselling Services · Childcare Voucher Scheme · Staff survey · DBS checks · Driver details · HR audits · Workforce diversity data · Employee relations	Article 6 (b) Contract Article 9 (h) Employment and Social Security Staff survey Article 6(e) and Article 9 (h)	Personal data and special category data including name, address, DOB, and healthcare information	From employees. From Occupational Health (provided by All Health matters)	Employees, mhs homes staff, Occupational Health (provided by All Health Matters ) and payroll services (provided by MHR) All HR information is held centrally on the itrent system In addition DBS checks are carried out by Powys County council. Driver data checking is completed by Drivercheck.	None	6 years after the staff member leaves or 75th Birthday, whichever is sooner.
Legal / Statutory obligations	Mhs homes group must comply with certain statutory and legislative requirements to share information with other agencies. Examples include: · ONS surveys · National Fraud Initiative · Department of work and pensions · HMRC · Central government departments · Law enforcement agencies The above list is not exhaustive.	Article 6 (c) Legal Obligation Article 9 (b) Employment and Social Security	Personal data and special categories data including any of the following name, address, DOB, contact details, salary information, pension information, job details.	From employees.	Mhs homes processes data and shares with the following upon request: · Office National Statistics · Cabinet Office · Department of work and pensions · HMRC · Central government departments	None	6 years after the staff member leaves or 75th Birthday, whichever is sooner.

Purpose or activity	Existence of data subjects rights							Is the provision of data part of a statutory or contractual requirement or obligation. Are there any consequences of failing to provide the personal data.	Details of any automated decision making
Purpose or activity	Right to be informed	The right of access	The right to rectification	The right to erasure	The right to restrict processing	The right to data portability	The right to object		Details of any automated decision making
Financial transaction	Yes	Yes	Yes	No	Yes	No	Yes	The provision of data is a contractual obligation and can be a statutory requirement e.g. fraud reporting.	None
HR Processes	Yes	Yes	Yes	Yes	Yes	No	No	The provision of data is a contractual obligation and can be a statutory requirement e.g. fraud reporting.	None
Legal / Statutory obligations	Yes	Yes	Yes	No	No	No	No	The provision of data is a contractual obligation and can be a statutory requirement e.g. fraud reporting.	None