HR privacy notice

Our people, your privacy

This privacy notice explains how and why the London Borough of Hammersmith & Fulham (also referred to as “employer” “council” “we” “us”) uses personal data about our employees and job applicants (referred to as “you”). 

To be the best employer in local government we invest in how we work and the opportunities available. To do this properly, we need to collect and process personal data about you. We are committed to being transparent about how we do this and the steps that we take to protect your privacy. Please read this notice carefully, so that you know what we are doing with your personal data.

As your employer, we use several IT systems and hold paper records. This includes a self-service portal which enables you to manage your own information.

When you apply for a job with us, your application is held electronically.

This notice does not form part of a contract of employment or any other contract to provide services.

Our data protection responsibilities

Personal data” is any information that relates to an identifiably natural person. Your name, address, contract telephone numbers and CV are all examples of your personal data, if they identify you.

The term “process” means any activity relating to personal data, including by way of example, collection, transmission, and storage.

The council is a so-called “controller” of your personal data. This means that we make decisions about how and why we process your personal data and because of this, we are responsible for making sure it is used in accordance with data protection laws.

What information we collect

We collect and process a range of personal data about you. We cannot administer our employment or other relationship with you without your personal data.

You provide us with personal data when you apply for a job with us as a job applicant. This includes:

  • your name, address, and contact details, including email address and telephone number, date of birth;
  • details of your qualifications, skills, experience, and employment history, including start and end dates, with previous employers and with the organisation; this may include professional registrations where we are required to report to statutory bodies;
  • information about your current level of remuneration, including benefit entitlements; as well as information that allows us to manage any tax payable to HMRC, third party payments and pension payments;
  • whether or not you consider yourself to have a disability and if we need to make adjustments to our recruitment approach to better support your application; and
  • information about your entitlement to work in the UK.

As an employee, this includes:

  • your name, address and contact details, including email address and telephone number, date of birth;
  • the terms and conditions of your employment;
  • information about your current level of remuneration, including benefit entitlements; as well as information that allows us to manage any tax payable to HMRC, third party payments and pension payments;
  • details of your bank account and national insurance number;
  • information about your next of kin, dependants and emergency contacts;
  • information about your nationality and entitlement to work in the UK;
  • details of your schedule (days of work and working hours) and attendance at work;
  • details of periods of leave taken by you, including holiday and sickness absence, other leave whether authorised or not and the reasons for the leave;
  • details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
  • assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
  • information about medical or health conditions, including whether or not you have a disability for which we need to make reasonable adjustments;
  • information about your training and qualifications recorded with us; and
  • professional registrations and any information we are required to hold for the purposes of inspections, regulations, or fitness to practice in certain professions.

We may also collect, store and use the following “special categories” of personal data which is more sensitive:

  • equal opportunities monitoring information;
  • equality, diversity and inclusion monitoring information, including information about your ethnic origin, sexual orientation, gender identification, health, and religion or belief;
  • trade union membership; and
  • information about your criminal record including any criminal convictions and offences.

We collect this information in a variety of ways. We collect personal data during the recruitment process through application forms, obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment, from correspondence with you or through interviews, meetings, or other assessments from third parties such as references and criminal records checks permitted by law.

For employees, personal data will be stored in a range of different places, including in your personnel file, in our HR management systems and in other IT systems (including our email system).

Why we process your personal data

We are required by law to always have a “lawful basis” (i.e. a reason or justification) for processing your personal data. There are six such permitted lawful bases for processing personal data, see bases relied on highlighted in bold below.

Job applicants:

As part of any recruitment process, we will collect and process personal data relating to you as a job applicant.    We will also need to take steps at your request prior to entering into an employment contract with you. Processing personal data from job applicants allows us to manage the recruitment process, assess and confirm your suitability for employment and decide to whom to offer a job. We may need to process personal data from job applicants to respond to and defend against legal claims. Your personal data will not be used for any purpose other than the recruitment exercise for which you have applied.

It is therefore in our legitimate interests to decide whether to appoint you to the role applied for since it would be beneficial to our business to appoint someone to that role.

We also need to process personal data to ensure that we comply with our legal obligations. For example, we must check your entitlement to work in the UK before offering you a job with us.  We therefore process your personal data for this purpose to ensure that we are complying with a legal obligation.

Employees:

We need to process your personal data to be able to enter into an employment contract with you and to meet our obligations under your employment contract.

It is therefore in our legitimate interests to process your personal data to be able to enter into an employment contract with you and to:

  • maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
  • operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
  • operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
  • operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
  • operate and keep a record of training, including mandatory training prescribed by legislation and regulation;
  • conduct surveys and data analytics to review and better understand employee retention, engagement and attrition rates;
  • obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
  • operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that we comply with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
  • ensure effective general HR and business administration;
  • provide references on request for current or former employees;
  • respond to and defend against legal claims; and
  • maintain and promote equality in the workplace.

We also process your personal data in order for us to be able to perform the contract we have with you for the following purposes:

  • to pay you in accordance with your employment contract;
  • to administer benefits and pensions;
  • to operate and keep a record of absence and absence management procedures;
  • to operate and keep a record of disciplinary and grievance processes;
  • to operate and keep a record of absence and absence management procedures; and
  • to operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave).

We also need to process personal data to ensure that we comply with our legal obligations. For example, we must check your entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable you to take periods of leave to which you are entitled. We therefore process your personal data to ensure that we are complying with a legal obligation.

Why we process your “special category” personal data

Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities).

We also process information about Trade Union membership to allow any Trade Union membership fees to be deducted from your salary, as applicable. For these purposes, we rely on the following legal bases for processing your personal data:

  • for the purposes of our legitimate interests;
  • processing is necessary for carrying out the obligations and exercising specific rights of us or you in the field of employment; and
  • processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us or you in connection with employment.

We process other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, for the purposes of equal opportunities monitoring. For these purposes we rely on the following legal bases for processing your personal data:

  • for the performance of a task carried out in the public interest;
  • processing is necessary for reasons of substantial public interest; and
  • processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment.

We also process special categories of personal data pertaining to occupational health.  For these purposes, we rely on the following legal bases for processing your personal data:

  • for the purposes of our legitimate interests;
  • processing is necessary for carrying out the obligations and exercising specific rights of us or you in the field of employment; and
  • processing is necessary for health or social care reasons including preventative or occupational medicine.

Information about criminal convictions

We may only use information relating to criminal convictions where the law allows us to do so – for example where your role means that you will be working with vulnerable persons.

We may also use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made that information public.

Information about criminal convictions and offences will be used to determine if any activities and offences committed create a conflict with your job role, whether the conviction would put you or a client at risk or potentially expose you or a client to risk.  We may also consider any criminal conviction or offence when determining your continued employment and your job role.

We are allowed to use your personal information in this way because it is necessary as part of your contract of employment and it is necessary for us to carry out the relevant checks in relation to your employment. In some cases, we are under a legal obligation to check for criminal convictions, such as where we are required by relevant safeguarding legislation.

Do you have to give us the personal information we ask for?

You are under no statutory or contractual obligation to provide personal data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

You have some obligations under your employment contract to provide us with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty to act honestly and fairly. You may also have to provide us with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable us to enter a contract of employment with you.

Failing to provide the data may mean that you are unable to exercise your statutory rights, may not be able to participate in career development and will hinder our ability to administer the rights and obligations arising out of the employment relationship efficiently.

Please note that where we have indicated above that our processing of your personal data is either:

  1. necessary for us to comply with a legal obligation; or
  2. necessary for us to take steps, at your request, to potentially enter into an employment contract with you, or to perform it,

if you choose not to provide the relevant personal data to us, we may not be able to enter into or continue our contract of employment or engagement with you.

Do we process information about you without any human intervention at all?

Please note that we do not use your personal data to make any employment decisions about you which are based solely on automated decision-making.

Who has access to data?

Sometimes we need to share your personal data with other people.

Within the council:

Your information may be shared internally, including with members of the HR and recruitment team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles.

Staff and data processors: The information you give us will be used by our staff and third parties who provide council services on our behalf.

Developing and testing business applications: We may use the information you give us to maintain and improve the services which we deliver, this includes developing and upgrading the systems which we use to process your information.

Corporate business intelligence: We may share the information you give us with other council services for research and analysis purposes, to help us design the services we provide and to identify and contact residents who may benefit from them.

Outside the council:

We share your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service.

We will share your data with government, police, regulators or law enforcement agencies including the Council’s Corporate Anti-Fraud Service, where we are required to do so by law, for example, by a court order, statutory power or for the purposes of prevention of fraud or other crime. We will share your data with the government where required to do so, for example, returns to enable policy, service and workforce planning at a national level for services.

The Cabinet Office also requires local authorities to participate in the National Fraud Initiative (NFI) which is an exercise that matches electronic data within and between public and private sector bodies to prevent and detect fraud. The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018 or GDPR. Data matching by the Cabinet Office is subject to a code of practice.

We also share your data with third parties that process data on our behalf including with third parties who provide payroll, pensions, training, surveys, benefits and occupational health services.

We will also share your personal data with third parties in the context of a possible restructuring of the Council or a possible service provision change (i.e. either through an outsourcing scenario or an insourcing scenario).  We will share your personal data with the third parties if and to the extent required under the terms of the transaction.

We will not transfer your data to countries outside the European Union unless the transfer is to a country approved by the European Commission as providing adequate protection and appropriate safeguards.

How do we protect data?

We take security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed by our employees except in the performance of their duties. Further information on Data Protection and supporting Codes of Practice is available on request.

Where we have engaged third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

You are responsible for keeping your login details to our systems safe and you must not share these or any other account details with any other person.

Do we carry out any monitoring?

Access to our private computer network is restricted to authorised users. As an employee, you will be provided access. All access and activities will be monitored.

How long do we keep data?

Retention periods are set by regulation, or where none exists, is based on business practice. As legislation is regularly updated, the time that information is kept may change.

If your application for employment is unsuccessful, we will hold your data on file for no more than 12 months after the end of the relevant recruitment process. At the end of that period, your data is anonymised.

If your application is successful, personal data gathered during the recruitment process will be transferred to your employee file. We will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment depends on the type of data and the purpose for which it is processed.  To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

After the retention period, your data will either be deleted completely or anonymised.

Your rights

Subject to certain conditions, you have certain rights in relation to any personal data about you which we hold.  These are:

  • a right of access – this allows you to obtain a copy of your data on request.  If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations;
  • a right to require us to change incorrect or incomplete data – you may challenge the accuracy or completeness of your personal data and have it corrected and completed, as applicable.  Please always check first whether there are any available self-help tools to correct the personal data we process about you;
  • a right to require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing.  We may not be in a position to delete your personal data, if for example, we need it to comply with a legal obligation or to defend legal claims, or to perform our tasks in the public interest;
  • a right to data portability – you can receive the personal data that you have provided to us by automated means, in a structured, commonly used machine readable format.  You should specify the type of information you would like to receive and where we should send it where possible to ensure that our disclosure is meeting your expectations;
  • object to the processing of your data where we are relying on our legitimate interests or for reasons of public task, as the legal grounds for processing.

Who to contact

If you would like to exercise any of these rights, or have any questions in connection with this Notice please contact H&FInTouch@lbhf.gov.uk.

Alternatively, as a public authority we are required to appoint a Data Protection Officer who assists us monitor internal data protection compliance, informs and advises us on our data protection obligations, advises us on our data protection impact assessment process and acts as our contact point with the Information Commissioner.  You can contact our data protection officer (dpo@lbhf.gov.uk)

Where feasible and possible, we encourage you to use the self-service portal which enables you to update your own records yourself.

If you believe that we have not complied with data protection laws, you can complain to the Information Commissioner (ico.org.uk).

What if this notice changes?

The terms of this notice may change from time to time. We shall publish any material changes to this notice through updates either here or contacting you using other communication channels.

Get tested now. Test and trace - nhs.uk/coronavirus or call 119
Advertisement