Human Resources and Organisational Development - privacy notice

Who we are

Derby City Council is the local government unitary authority for Derby city. Our address is the Council House, Corporation Street, Derby, DE1 2FS. You can contact our Data Protection Officer on 01332 640763 or by email at data.protection@derby.gov.uk.

How do we collect information from you?

We collect information from you when you visit www.derby.gov.uk, when you fill in any forms using our customer portals or on our website, including myAccount; also when you contact us in writing, speak to us on the phone, by email or any other type of electronic communication, or talk to us face to face. We may collect information from a setting you attend, such as a school or care home, where this data collection is necessary for the following purposes listed.

What types of information do we collect from you?

We collect information from you when you visit www.derby.gov.uk; also when you contact us in writing, speak to us on the phone, by email or any other type of electronic communication, or talk to us face to face.

We collect different categories of information about you, depending on the service you want from us and/or the reason why we need to process information relating to you. This could be personal information (for example your name and address), or other more sensitive data that we would only collect and use in very particular circumstances that are set out in law.

What is the lawful basis?

The legal basis for data processing we are relying on comes from Article 6 of the UK General Data Protection Regulation (UK GDPR). The following sections apply;

• Article 6(1)(c) Legal Obligation -Processing is necessary for compliance with a legal obligation to which the controller is subject;
• Article 6(1)(d) Vital interest -the processing is necessary to protect someone’s life;
• Article 6(1)(e) Public task -the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
• (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party

Special category data:

• It is necessary to share sensitive information for the purposes of carrying out the obligations and exercising specific rights in the field of social protection law, for the provision of health or social care treatment or the management of health or social care systems. (Article 9 2(h) UK GDPR).
• Public health processing-it is necessary for reasons of public interest in the area of public health (Article 9 2 (i) UK GDPR)
• Some special category data is available on sight, and therefore is already in the public domain. As such the primary justification for processing this information is; personal data which are manifestly made public by the data subject, in accordance in Article 9 (e).

We process all information in accordance with our legal obligations and public tasks arising from the following provisions:

• The Employee Rights Act 1996
• The National Minimum Wage Act 1998
• The Employee Relations Act 1999
• The Maternity and Parental Leave etc. Regulations 1999
• The Transfer of Undertakings (Protection of Employment) Regulations 2006
• The Agency Workers Regulations 2010:
• The Equality Act 2010
• The Working Time Regulations 1998
• The Data Protection Act 2018
• The Coronavirus Act 2020
• The Health Protection (Notification) Regulations 2010
• The Public Health (Control of Disease) Act 1984 and associated Regulations
• The Care Act 2014
• The Safeguarding Vulnerable Groups Act 2006
• The Health and Safety at Work Act 1974

Details of information obtained from third parties

• Tax codes, student loan notifications and such like from HM Revenue and Customs
• court orders from HM Court Service and other courts
• details of voluntary deduction information from pension providers, union bodies, benefit providers and such like

How is your information used?

Whilst this HR privacy notice primarily relates to employees, agency workers, volunteers, and prospective employees, please note that we may be required to process your information in accordance with employment legislation and/or prospective and actual legal claims if:

• you make a complaint that specifically relates to a member of staff or;
• your personal information it is linked to an employment matter, for example an issue with the quality of service you receive

We may use your information, in accordance with the Council’s public tasks, legitimate interests, legal obligations and where applicable consent, in order to:

• pay you accurately
• produce pay statements
• manage your employment under our relevant employment policies
• provide you with access to your information through self-service portals
• respond to statutory returns including equality returns
• process your employee benefits
• process any voluntary deductions you request
• process statutory deductions
• allow the administration of your personal pension
• allow for the transfer of budget information
• allow independent auditors to ensure that we are complying with our internal policies and processes
• support the administration of our processes in relation to mail merges, printing and mailing services
• allow you to access the relevant external training linked to your personal development or apprenticeship
• undertake pre-employment checks should your employment application be successful (for job applicants)
• transfer data into payroll for successful applicants (for job applicants)
• complete anonymised equalities statutory returns and to target future recruitment campaigns
• support employment claims
• manage employee performance and skills
• promote collaboration and ensure you are identifiable to colleagues, service users and citizens
• promote and adhere to equality and diversity obligations and practices
• manage training and development
• authenticate access to IT systems and Council information assets (please see further details within the digital services privacy notice.)
• carry out relevant checks, where applicable, in relation to HMG Baseline Personnel Security Standards
• enable colleagues to access health services
• ensure effective response to the COVID-19 epidemic to ensure the safety, wellbeing and care of colleagues
• ensure that health & safety risks are addressed
• manage complaints related to employment matters
• investigate and manage grievances and complaints
• manage quality of service provision
• comply with official investigations. These include but are not limited to Local Government Ombudsman, Information Commissioner, Care Quality Commission, and Ofsted.
• to comply with the requirements of statutory bodies such as the Care Quality Commission, Public Health England and Social Work England and so on
• your name and employee number is used to provide you with access to the Council’s Employee Benefits platform. If you wish to opt out of this please contact employeebenefitsandpensions@derby.gov.uk.

We may share your information with other authorities or statutory agencies, to prevent or detect fraud or protect public funds.

Where consent has been requested, you can opt out by emailing StrategicHR@derby.gov.uk.

Employee monitoring

In accordance with the schedule 1 (1), (2) & schedule 2 of the Data Protection Act 2018, & Article 6 (b), (c) & (f) of the UK General Data Protection Regulation; we may monitor the use of council assets, staff conduct & records of time keeping for purposes such as preventing and detecting criminal acts, investigating unauthorised use, making sure that policies are being followed and for training and quality control.

Examples of such monitoring may include but is not limited to: CCTV, surveillance, swipe card data, system audits, remote working, IT usage, conduct, performance and the use & management of financial assets.

Please note that all staff are not routinely monitored in a blanket manner – all monitoring will be proportionate and justified.

COVID-19/Coronavirus

Coronavirus has been added as a notifiable disease under the Health Protection (Notification) Regulations 2010. Under the Public Health (Control of Disease) Act 1984 and associated Regulations;  and the Coronavirus Act 2020 and associated Regulations  the Council has a legal duty to store, process and share personal information. The information will  be stored, processed and shared as part of the national, and local Coronavirus Test and Trace operations where necessary for investigations, as well as the testing and  tracing of individuals, groups or businesses; and to assist in the investigation into cases of Coronavirus; Coronavirus outbreaks and issues of non-compliance with the Acts and associated Regulations. The information will also be used; interrogated and mapped to inform the Councils actions and decision making processes. Any such storage, processing or sharing of information will be done in the public interest in order to promote health and wellbeing.

During the management of Coronavirus risks, information which is gathered may be shared between departments within Derby City Council; with other Councils associated with an outbreak; other health services or with other government bodies associated with the control of the Coronavirus. Such Information includes, but is not limited to; personal identifiers, health information including vaccination information. The Council has a duty to notify national Government bodies, such as Public Health England, The Care Quality Commission and the relevant local authority where an individual resides (if different), where there are suspected Coronavirus cases. The Council will disclose the information under Article 9(2)(j) of the UK GDPR (processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health), and confidential information may be lawfully disclosed in the public interest, without consent, where the benefits to an individual or to society outweigh both the individual’s and the public interest in maintaining the confidentiality of such data.

The Council may contact staff, service users, residents, patients, businesses and premises with messages relating to Coronavirus by text, phone, letter or e-mail. This contact is not direct marketing; therefore we do not need your Consent before contacting you. There is more information available on the national Information Commissioners Office's website.

Following the repeal of the Health and Social Care Act 2008 (Regulated Activities) (Amendment) (Coronavirus) Regulations 2021, we will no longer be actively collecting vaccination status data to assess and determine suitability for employment in certain roles. We will retain data previously collected in accordance with stipulated retention periods.

Research and statistics

Anonymised and pseudonymised data may be used for research and statistical purposes. Any data collected may be used for research and statistical purposes that are relevant and compatible with the purpose that the data was collected for.

What are your rights?

• Access – you can request copies of any of your personal information that is held by the Council.
• Rectification – you can ask us to correct any incorrect information.
• Deletion – you can ask us to delete your personal information. The Council can refuse to delete information if we have a lawful reason to keep this.
• Portability – you can ask us to transfer your personal data to different services or to you.
• Right to object or restrict processing – you have the right to object to how your data is being used and how it is going to be used in the future.
• Right to prevent automatic decisions – you have the right to challenge a decision that affects you that has been made automatically without human intervention, for example an online form with an instant decision.

National Data Opt Out

We are one of many organisations working within health and social care to improve health and wellbeing for patients as well as the public. Information collected from you when you use our services may be stored and shared with services or partner organisations for purposes other than your individual care, for instance to help with:

• Improving the quality and standards of care provided
• Research into the development of new treatments
• Preventing illness and diseases
• Monitoring safety

This may only take place when there is a clear legal basis to use this information. Confidential information about your health and care will only be used in limited circumstances where it is not possible to use anonymised data.

You have a choice about whether you want your confidential information to be used in this way. If you are happy for your information to be used in this way you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

For more information or to register your choice to opt out please visit https://www.nhs.uk/your-nhs-data-matters/. You can choose to opt in at any time.

Please be aware that the National Data Opt Out does not apply to information used for marketing purposes, your data would only be used in this way with your specific agreement.

All Health and Social Care organisations should have systems and process in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

Our organisation is compliant with the national opt out policy.

Who has access to your information?

We may share your information with:

• Other Council Departments, Managers, Headteachers/School Business Managers, Time Administrators, Internal Audit, DMC/Business Support and Parking Services to ensure we meet our statutory and contractual duties
• Both internal & external customers, and services users, will have access to information relating to you acting in your professional capacity and your personal contact details. We will of course balance disclosures with our duty of confidence to you and your expectation of privacy
• External organisations such as; H M Revenue and Customs, Disclosure and Barring Service, H M Court Service, Police Authority, Department for Education, Department of Work and Pensions, Pensions Administrators (Derbyshire Pension Fund for Local Government Pension Scheme, Teachers Pension, Prudential, Standard Life, NHS Pension and NEST), voluntary payroll deductions, external auditors, Payroll/HR software providers, external organisation linked to TUPE legislation. This is for the purposes allowed by law as well as provision of information to pension administrators and other third parties’ payroll deduction where you are a member. These third parties include Government Departments, other local authorities and private sector companies, as allowed by law. This would include sharing relevant information with external training providers supporting your personal development or apprenticeship
• Health and social care partners to ensure that care is accessible and where applicable administered to colleagues
• Organisation such as the Local Government Ombudsman, Information Commissioner, Care Quality Commission, Public Health England, Department of Health and Social Care and Ofsted (this is not an exhaustive list).
• We will share your name and employee number with our Employee Benefits provider (this includes Childcare Voucher access, shared cost AVC, car leasing, cycle to work and annual leave purchase schemes) to allow you to gain access to the platform. You will then be asked to sign up directly with them if you wish to partake in this benefit. If you do not wish for your information to be shared with the Employee benefits provider please contact employeebenefitsandpensions@derby.gov.uk.
• We will share your name and employee number with our E learning and training provider to allow you to facilitate development and system access. 

We may share information in accordance with the National Fraud Initiative. For more information please refer to:

1. GOV.UK - National Fraud Initative
2. Our National Fraud Initiative page

We will not sell or rent your information to third parties.

We will not share your information with third parties for marketing purposes.

How long will we keep your information for?

We keep and dispose of all records in line with our record retention schedule. We will comply with Data Protection legislation.

What security precautions are in place to protect the loss, misuse or alteration of your information?

We are strongly committed to data security and will take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard the information you provide to us. However, we cannot guarantee the security of any information you transmit to us. We recommend that you take every precaution to protect your personal information.

Keeping your data up to date

We want to ensure any information we hold is accurate. You can help us by promptly informing us of any changes to the information we hold about you.

Cookies

Cookies are small text files which identify your computer to our servers. They are used to improve the user experience. View what cookies we use and how you can manage them.

IP addresses

Internet Protocol (IP) addresses are collected when our site is used:

• for statistical or analytical purposes
• to identify any malicious activity.

Complaints

If you would like to make a complaint regarding the use of your personal data you can contact our Data Protection Officer:

• By post: Information Governance, Council House, Corporation Street, Derby, DE1 2FS
• By phone: 01332 640763
• By email: data.protection@derby.gov.uk

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO):

• By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• By phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit ico.org.uk or email casework@ico.org.uk.