The Trust collects stores and processes personal information about prospective, current and former staff to ensure compliance with legal or industry requirements.
The processing of employee personal information is necessary for the purpose of employment and social security and social protection law.
The Trust is not required to seek your explicit consent to process your personal information for employment purposes, taxation, fraud, internal and external investigations, and statutory or regulatory reporting purposes requiring identification.
How we use your employee information?
- Your personal information is processed for the purposes of:
- Staff administration and management (including payroll and performance)
- Pensions administration
Business management and planning
- Accounting and Auditing Accounts and records
- Health administration and services
- Information and databank administration
Employee information and publicity
Your personal information will not be used for internal and external publications without your explicit written consent.
Sharing of employee information
The Trust will not routinely disclose any information about you without your express permission. However, in order to enable effective staff administration and comply with our obligations as your employer, we will share the information which you provide during the course of your employment (including the recruitment process) with the NHS Business Services Authority for maintaining your employment records, held on systems including the national NHS Electronic Staff Record (ESR) and Care Information Services (smartcard) Systems.
There are a number of circumstances where we must or can share information about you to comply or manage with:
Disciplinary/ investigation processes; including referrals to Professional Bodies, e.g. NMC and GMC;
- Legislative and/or statutory requirements;
- A Court Orders which may have been imposed on us;
- NHS Counter Fraud requirements;
- Request for information from the police and other law enforcement agencies for the prevention and detection of crime and/or fraud if the crime is of a serious nature.
The Trust’s Informatics Department is committed to maintaining the privacy, dignity and confidentiality of service users at all times. We adhere to the principles of data protection legislation, Department of Health and NHS Digital policies, procedures and codes of practice.
The Informatics Department uses your personal information to create and manage IT user accounts, monitor system access and performance.
System generated audit trails are also used to improve internal processes, identify account and system issues, and establish if inappropriate access and/or use of IT equipment/resources have occurred.
Audit trails may also be released to patients requesting details of employees who have accessed their medical record.
Registration Authority Smartcards
If you hold or register for a NHS Registration Authority (RA) Smartcard your personal information including your driving license and passport numbers will be recorded along with a photographic image within the NHS Digital’s Care Identity Service (CIS) System.
All users issued with a Smartcard have the ability to update certain aspects of their record on the CIS database as well as change their pin code and, when necessary, renew their own Smartcard certificates. (Certificates last two years and can be self-renewed within 90 days leading to the expiry date – after this time please contact your local Registration Authority).
All Informatics staff adhere to a strict code of ethics in relation to the confidentiality of all personal and sensitive data.
All personal and sensitive information is treated as sensitive (‘special category’) personal data, in respect of data protection legislation and can be shared by the recipient only, with the individual’s consent and with others who have a legitimate need to know.
Your information may be released without your knowledge or consent in exceptional circumstances dictated in the professional codes of ethical behaviour and statute law i.e. the prevention and detection of a serious crime, fraud, malpractice allegation, court order or the vital interests of yourself or another (life or death).
The Trust utilises the NHS Mail email system as our main communication system. As a member of staff you are accepting you will work within the NHSmail acceptable use policy v3 September 2018. This occurs when you register for the service. This is your promise to all NHSmail users and the public and patients we serve, that you will be mindful of the importance of the information that they share over NHSmail.
NHS Mail Data Retention and Information Management Policy
Information is stored in the NHSmail service for a variety of reasons and is retained in accordance with our policies. The NHSmail Data Retention and Information Management Policy this defines the scope of data held and details the recovery of data. The process to request this is available in the NHSmail Access to Data Policy on the NHSmail portal help pages.
Our responsibilities for data protection are explained in the Transparency Information document located within the General Data Protection Regulation section of the NHSmail portal help pages.
Sharing of employee information
Limited personal information about you may also be shared with third party organisations in order to permit access to externally located/hosted systems i.e. Lorenzo, and TPP SystmOne (GP system).
The Informatics department will use your personal information to create anonymised, pseudonymised and statistical compliance reports.
External IT Monitoring
NHS Digital now provides national monitoring of all internet activity through NHS devices to local organisations such as hospitals and GP surgeries. This means that all internet activity is monitored to quickly identify any abnormalities so that immediate action can be taken to address any potential problem as quickly as possible. NHS Digital will be able to identify the affected device and user in real time so that alerts can be provided nationally and locally in order to minimise the threat to the NHS, staff and patients.
The SFT process will be that whenever an alert is received Informatics will immediately retrieve the device and commence erasing any data and rebuilding the device, please be aware that any information stored locally on the machine will be removed with immediate effect.
Appropriate action will be taken over any inappropriate or malicious breaches detected in line with the Trust policies and procedures.