Privacy Notice for Employees, Workers and Contractors

Spencer Private Hospitals collects and processes personal data about you to manage our working relationship with you. This includes:

• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
• Marital status, date of birth, gender, dependants, next of kin and emergency contact information
• Information about your nationality and entitlement to work in the UK
• Bank account details, payroll records, National Insurance number and tax status information
• The terms and conditions of your employment
• Salary, pension and benefits information
• Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
• Employment records (including job titles, working hours, training records, qualifications, professional memberships and employment history, including start and end dates, with previous employers and with Spencer Private Hospitals)
• Details of periods of leave taken by you, including holiday, family leave and sabbaticals, and the reasons for the leave
• Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
• Assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence
• Copy of your driving licence and/or passport.
• CCTV images and other information obtained through electronic means such as swipe or Smart card records.
• Information about your use of our information and communications systems.

We may also collect, store and use the following "special categories" of more sensitive personal data:

• Information about your health, including any medical condition, sickness absence and health and sickness records
• Information relating to accidents or incidents in the workplace
• Information about your race or ethnicity and religious beliefs.
• Information about criminal convictions and offences
• Trade union membership
• Genetic information and biometric data

Spencer Private Hospitals may collect your personal data in a variety of ways. For example, personal data may be collected from you through application forms, CVs or resumes and covering letters; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

In some cases, Spencer Private Hospitals may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks permitted by law.

Your personal data will be stored in a range of different places, including in your personnel file, in Spencer Private Hospitals’ HR management systems and in other IT systems (including Spencer Private Hospitals’ email system).

Calls to our 0330 019 4890 telephone number may be answered by our external answering service called Money Penny. The information collected from you will be the minimum needed to either answer or redirect your call. The information you volunteer to us will be used for the purpose of responding to you or to improve the call answering service we provide. Please do not volunteer any medical or other sensitive information to the Moneypenny answering agent.

Spencer Private Hospitals needs to process personal data about you to enter into an employment or other contract with you and to meet its obligations under that contract. For example, it needs to process your personal data to provide you with a contract, to pay you in accordance with your contract and to administer any benefit, pension and insurance entitlements.

In some cases, Spencer Private Hospitals needs to process your personal data to ensure that it is complying with its legal obligations. For example, it is required to check entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.

In other cases, Spencer Private Hospitals has a legitimate interest in processing personal data before, during and after the end of the employment relationship provided your interests and fundamental rights do not override Spencer Private Hospitals’ legitimate interests.

• Run recruitment and promotion processes
• Maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of contractual and statutory rights
• Operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace
• Operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes
• Operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled
• Obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled
• Operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that Spencer Private Hospitals complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled
• Ensure effective general HR and business administration
• Provide references on request for current or former employees
• Respond to and defend against legal claims

Some special categories of Personal Data, such as information about leave and health or medical conditions are processed to carry out our obligations in the field of employment law (such as those in relation to employees with disabilities or for health and safety purposes) and/or for the assessment of the working capacity of an employee. Information about criminal convictions and offences is processed to comply with our legal obligations due to the nature of our business and the role that you perform. We will only collect this information where we are legally able to do so.

Where Spencer Private Hospitals processes other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring to maintain and promote equality in the workplace. This is to carry out its obligations and exercise specific rights in relation to employment.

Spencer Private Hospitals may also process your personal data, special categories of personal data and information about criminal convictions and offences  to respond to and defend against legal claims,  where it is necessary to protect your interests (or someone else’s interest) and you are not capable of giving consent or where you have already made the information public.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

We do not envisage that any decisions will be taken about you based solely on automated means, however we will notify you in writing if this position changes.

Your personal data may be shared internally, including with members of the HR and recruitment team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles.

Spencer Private Hospitals shares your personal data with third parties in order to assist with tests to assess suitability for employment or engagement and /or promotion, obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. Spencer Private Hospitals may also share your personal data with third parties in the context of a sale of some or all its business. In those circumstances the data will be subject to confidentiality arrangements.

Spencer Private Hospitals also shares your personal data with third parties that process data on its behalf, in connection with payroll, the provision of benefits, its online employee management systems and the provision of occupational health services. All our online systems for our business operation utilise the East Kent Hospitals University NHS Foundation Trust (EKHUFT) network infrastructure e.g. patient record system, risk management systems, business productivity tools (MS Office).

Spencer Private Hospitals will not transfer your personal data to countries outside the European Economic Area.

Spencer Private Hospitals takes the security of your personal data seriously. We have put in place appropriate technical and organisational measures to prevent your personal data from being accidentally lost, destroyed, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who need to access it in the proper performance of their roles for Spencer Private Hospitals. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. These measures are in accordance with applicable laws and regulations.

Where Spencer Private Hospitals engages third parties to process personal data on its behalf, they are also obliged to implement appropriate technical and organisational measures to ensure the security of data.

In most cases Spencer Private Hospitals will retain your personal data for the duration of your contractual relationship with us. After the end of your contractual relationship with us we may keep some or all your personal data for 6 years. If any employee works to 75 years of age or older their personal file will still be kept for 6 years from their leave/retirement date. This is for several purposes including satisfying any legal, accounting, or reporting requirements and to respond to and defend against legal claims. In exceptional cases Spencer Private Hospitals may retain your personal data for different durations further details are contained in SPHIG09 Retention Schedule.

We may also retain indefinitely basic information about your employment and the roles held in order to be able to respond to reference requests from future employers.

We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal data, please contact the Risk and Information Manager, who can be contacted by emailing DataProtection@spencerhospitals.com or telephoning 07583 867301.

It is important that the personal data we hold about you is accurate and current. If employees need to update their personal details or records, they must update their details directly on People HR.

Under certain circumstances, by law you have the right to:

• Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of incomplete or inaccurate personal data we hold about you.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Object to processing of your personal data where we are processing it for our legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal data to another party where processing is carried out by automated means.

If you would like to exercise any of these rights, please contact our Risk and Information Manager, who can be contacted by emailing DataProtection@spencerhospitals.com or telephoning 0330 019 4890 or 07583 867301

If you have any concerns or comments about how we use information, we would like to hear from you. Alternatively, you may contact the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues for guidance and advice, or to lodge a complaint.

The ICO may be contacted at:

Online:             www.ico.org.uk

Post:                Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone:      0303 123 1113 (local rate) or 01625 545745 (national rate)

Privacy Notice – Updated November 2023