As an employer, the Trust needs to keep and process information
about you for normal employment purposes. The information we hold
and process will be used for our management and administrative use.
We will keep and use it to enable us to run the business and manage
our relationship with you effectively, lawfully and appropriately,
whilst you are working for us, at the time when your employment
ends and after you have left. This includes using information to
enable us to comply with the employment contract, to comply with
any legal requirements, pursue the legitimate interests of the
Trust and protect our legal position in the event of legal
proceedings. If you do not provide this data, we may be unable in
some circumstances to comply with our obligations and we will tell
you about the implications of that decision.
Much of the information we hold will have been provided by you,
but some may come from other internal sources, such as your manager
or people you work with, or in some cases, external sources, such
as referees, a Trades Union, or a professional organisation such as
the British Medical Association, or one of the medical Royal
Colleges.
The sort of information we hold includes your application form
and references, your contract of employment and any amendments to
it; correspondence with or about you, for example letters to you
about a pay rise or, at your request, a letter to your mortgage
company confirming your salary; information needed for payroll,
benefits and expenses purposes; your hours worked, contact and
emergency contact details; records of holiday, sickness and other
absence; information needed for equal opportunities monitoring
policy; and records relating to your career history, such as
training records, appraisals, other performance measures and, where
appropriate, disciplinary and grievance records.
For the purposes of security, network and application integrity,
and ensuring the effective management of IT many applications will
maintain logs of usage which may identify users either directly or
indirectly. All internet usage is logged and internet and email
traffic is monitored as detailed in our policies available in the
staff handbook or on the intranet. This data may be analysed on an
aggregate basis without identifying individuals for diagnostic,
utilisation and planning requirements. Use of the data in a way
which identifies individuals will only be authorised where this is
necessary for legitimate purposes and in accordance with policies
and the Telecommunications (Lawful Business Practice) (Interception
of Communications) Regulations 2000.
You will, of course, inevitably be referred to in many Trust
documents and records that are produced by you and your colleagues
in the course of carrying out your duties and the business of the
Trust.
Your contact details will be made available to the Trust
Membership Office as employees are automatically invited to become
Members of the Trust.
You may opt-out of membership if you wish in accordance with
Article 9 of the Trust
Constitution. If you wish to opt out please contact the
membership office via email foundationtrust@uhbristol.nhs.uk
or call 0117 34 23764. By law we are required to make a register of
our membership available to the public on request. This register
shows the member's name and their membership type, but not their
address or any other personal details. If you wish to be taken off
the public register, please get in touch with the membership
office.
Where necessary, we may keep information relating to your
health, which could include reasons for absence, certificates and
GP reports and notes. This information will be used in order to
comply with our statutory health and safety and occupational health
obligations - to consider how your health affects your ability to
do your job and whether any adjustments to your job might be
appropriate. We will also need this data to administer and manage
statutory and Trust sick pay. Occupational health records will be
kept separate and confidential from other employee records - see Occupational
Health.
Where we process special categories of information relating to
your racial or ethnic origin, political opinions, religious and
philosophical beliefs, trade union membership, biometric data or
sexual orientation, we will always obtain your explicit consent to
those activities unless the processing is necessary for the purpose
of the employment contract or required by law or the information is
required to protect your health in an emergency. We will tell you
whether providing the information is optional or mandatory.
In particular some staff, including staff in Hotel Services,
will be required to provide biometric fingerprint data (but not a
fingerprint as such) for clocking purposes. This is used in
managing rostering, time and attendance records, absences, skills
management and related functions.
In most cases we will be processing your data because it is
necessary for the purpose of the employment contract or required by
law but where we are processing data based on your consent, you
have the right to withdraw that consent at any
time. Occasionally we will process staff data as we have a
legitimate interest in doing so - for example in relation to
running the Recognising Success Awards.
Other than as mentioned below, we will only disclose information
about you to third parties with your consent, if we are legally
obliged to do so, or where we need to comply with our contractual
duties to you, for instance we may need to pass on certain
information to a pension scheme.
In particular information may be disclosed to:
- Suppliers contractors partners and other organisations in the
normal course of your employment activities - for example your
contact details will be shared with anyone you correspond with,
relevant personal details may be shared as part of a due diligence
process where the Trust is entering into a contract or research
partnership. You will normally be aware of this as part of your
work. If it is something you would not reasonably expect we will
let you know before doing so.
- Training providers. Where the Trust commissions training on
your behalf from an external supplier the Trust will share
necessary information about you with the provider for the
management co-ordination and quality control of that training
- HM Revenue and Customs for the administration of tax and
national insurance
- professional registration organisations - e.g. in respect of
fitness to practice hearings
- NHS Pensions if you are a member of the scheme
- banks & insurance companies. at your request - e.g. to
confirm employment details in respect of loan/mortgage
applications/guarantees
- the Department of Work and Pensions e.g. in relation to
benefits enquiries
- the Child Support Agency
- the Disclosure and Barring Service
- the Student Loans Company
- the Home Office Visa & Immigration Service
- the National Clinical Assessment Service where a request is
made to issue a Healthcare Professional Alert Notice as under the
Healthcare Professional Alert Notices Directions 2006
- the public under the Freedom of Information Act where this does
not breach the data protection principles e.g. requested names or
contact details of senior managers or doctors or those in
public-facing roles
National Fraud Initiative (NFI)
The Trust is required by law to protect the public funds it
administers. It may share information provided to it with other
bodies responsible for auditing or administering public funds, in
order to prevent and detect fraud.
The Cabinet Office conducts data matching exercises to assist in
the prevention and detection of fraud as part of its responsibility
for public sector efficiency and reform. Part 6 of the Local Audit
and Accountability Act 2014 enables the Cabinet Office to process
data as part of the NFI.
The Trust is a mandatory participant of the NFI which is a data
matching exercise undertaken by the Cabinet Office to assist in the
prevention and detection of fraud. We are required to provide
particular our payroll data to the Cabinet Office for each
exercise.
Data matching involves comparing sets of data, such as payroll
of a body against other records held by the same or another body to
see how far they match. This is usually personal information and
Trust creditors' data. The data matching allows potentially
fraudulent claims and payments to be identified. Where a match is
found it may indicate that there is an inconsistency which requires
further investigation. No assumption can be made as to whether
there is fraud, error or other explanation until an investigation
is carried out.
The Trust's legal basis to process this data is set out in
Article 6 (c) of the General Data Protection Regulation (GDPR)
"processing is necessary for compliance with a legal obligation to
which the controller is subject;"
For further information see the
Cabinet Office Privacy Notice.
For further information on data matching at University Hospitals
Bristol NHS Foundation Trust contact Elias Hayes, Local Counter
Fraud Specialist on 01173 420828 or elias.hayes@nhs.net.
The Trust may use data processors to hold information in files
e.g. archive storage companies.
We will not normally transfer your information outside of the
EEA or to an international organisation but may do so with your
explicit consent e.g. where a doctor is participating in a
multi-national research project.
We have in place appropriate safeguards to ensure the security
of your data in accordance with the Trust's Information Security
Policy.
Your personal data will be kept up to date and accurate during
your employment and will be retained for a minimum for a period of
TBC years after the end of your employment.
If in the future we intend to process your personal data for a
new purpose we will provide you with information on that purpose
and any other relevant information.
Please also see information regarding Your Rights.
Some of these will be of limited application, particularly during
the period you remain employed. For example we would not delete
records we need to comply with our statutory and contractual
duties.