Privacy notice for employees

This Privacy Notice explains how the personal data of the employees of, and applicants for employment by Genesis Cancer Care UK Limited, registered address Wilson House, Waterberry Drive, Waterlooville, Hampshire PO7 7XX (“GenesisCare”), is collected, managed and used by GenesisCare.

Introduction

GenesisCare recognises the importance of protecting the personal information of its staff. When we ask you for information, we will ensure we do so legally and will handle your information in a manner which respects your privacy.

We will:

  • Ask only for what we need, and not collect irrelevant information
  • Protect your information from loss, damage, misuse, unauthorised access or disclosure
  • Make sure we do not keep your information for longer than necessary
    Keep your personal data accurate and up-to-date
  • Not disclose your data to third parties without your permission unless required to do so by law

In return, we ask you to:

  • give us accurate information, and
  • tell us as soon as possible if there are any changes, such as new contact details, as this helps us to keep your information accurate and up-to-date

What is a Privacy Notice?

Legislation regulates the management of personal information about living individuals.
A ‘privacy notice’ is a statement issued by an organisation which explains how personal and confidential information about patients, service users, staff and visitors is collected, used and shared.

This privacy notice is issued by GenesisCare UK in relation to the information we collect about staff as part of our responsibilities as an employer.

It sets out:

  • why we collect personal information
  • how we use it
  • what information we collect
  • how we look after it
  • how to exercise your rights, and
  • how we meet our legal and other duties under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018

For the purposes of this privacy notice, ‘staff’ includes applicants, employees, other workers (including agency, bank and contracted staff), honorary position holders, volunteers, trainees and those carrying out work experience.

It covers information in all formats including email, audio recordings, photographs, online forms and paper documents.

Why we collect your personal information

We will only process your personal data where we have your consent or where the processing can be legally justified under UK law and includes circumstances where processing is necessary for the performance of your contract with us or for compliance with any legal obligations which apply to us as your employer.

This includes human resources purposes including but not limited to recruiting and hiring job applicants, and:

  • Managing employee communications and relations;
  • Providing compensation and benefits;
  • Administering payroll;
  • Processing corporate expenses and reimbursements;
  • Managing employee participation in human resources plans and programs;
  • Carrying out obligations under employment contracts;
  • Providing occupational health and wellbeing services to individuals;
  • Managing employee performance;
  • Conducting training and talent development;
  • Facilitating employee relocations and international assignments;
  • Managing employee headcount and office allocation;
  • Managing mergers, acquisitions and divestitures;
  • Managing the employee termination process;
  • Providing facilities such as building access and car parking provision;
  • Preventing and detecting crime and managing a safe working environment;
  • Managing information technology and communications systems, such as the corporate email system and company directories;
  • Conducting ethics and disciplinary investigations;
  • Conducting employee surveys;
  • Administering employee grievances and claims;
  • Managing audit and compliance matters;
  • Management reporting analysis;
  • Complying with applicable legal obligations, including government reporting and specific local law requirements; and
  • Other general human resources purposes.

How your information will be used

As your employer, GenesisCare needs to keep and process information about you for normal employment purposes.

GenesisCare uses two HR management platforms: Workday and ADP payroll administration and mobile services GenesisCare is defined as the data controller. This means we decide how your personal data is processed and for what purposes.

We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. This includes using information to enable us to comply with the employment contract, to comply with any legal requirements, pursue the legitimate interests of GenesisCare UK and protect our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.

We may monitor use of GenesisCare IT equipment, network and internet access through usernames and log-ins to ensure adherence to the Acceptable Use Policy or for statistical purposes.

We also process your personal data in relation to the protection of the interest of GenesisCare and its employees and service users. We are required to undertake pre and in-employment screening and monitoring of employees, as a condition of employment, in particular, Disclosure and Barring Service and Occupational Health checks.

When you use the Workday HR platform, we may track how you use the system to help us make improvements, spot when there’s a technical hiccup, make it easier to use and pull out key statistics on usage.

We may process your data to ensure that any task carried out in your work comply with, or are authorised by law and other regulations.

Where necessary, we may keep information relating to your health, which could include reasons for absence and GP reports and notes. This information will be used to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and company sick pay, health insurance or life insurance policies.

Where we process special categories of information relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, biometric data or sexual orientation, we will always obtain your explicit consent to those activities unless this is not required by law or the information is required to protect your health in an emergency.

Where we are processing data based on your consent, you have the right to withdraw that consent at any time.

We may also have to disclose your data to supervisory authorities during the course of data protection enquiries or necessary reporting.

  • On occasion, we may need to share sensitive personal without first obtaining your explicit consent. This will only occur if the processing is necessary:
    to protect your vital interests and you cannot give your consent or your consent cannot reasonably be obtained, for example, in a medical emergency
  • to protect another person’s vital interest and you have unreasonably withheld your consent
  • to meet our statutory obligations or in response to a court order
  • for the purpose of prevention or detection of crime, the apprehension or prosecution of offenders

As a company pursuing healthcare activities, we may sometimes need to process your data to pursue our legitimate business interests. This will be in ways that you would reasonably expect, the nature of which include:

  • Administrative purposes during clinical trials
  • Using your personal data within our systems and communications so that GenesisCare employees (including employees within other GenesisCare groups), Health Care Professionals, suppliers, patients and any other party we share information with for our business purposes, know who you are and are able to contact you
  • Providing you with appropriate tools, systems and access to support so that you are able to carry out your tasks effectively
  • Monitoring access to systems for the purposes of ensuring access is appropriate, identifying and preventing security breaches
  • Support the reporting and investigation of any incidents, near misses, complaints or concerns
  • Supporting your professional development and undertaking reviews of your performance
  • Ensuring you are up to date with statutory and mandatory training and supporting additional training needs as appropriate
  • Sharing personal data to select third parties in connection with any sale, transfer or disposal of our business

We will never process your data where these interests are overridden by your own interests.

Who is responsible for the information about you?

GenesisCare is responsible for processing your personal data. We are registered with the Information Commissioners Office, registration number Z9493925. If you’d like to see the details in the public register, please go to https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/.

As the Workday platform provides self-service functionalities, you can complete, correct or remove the personal data you have added to your personal file in Workday. Please note if you remove certain types of information this may have an effect on your relationship with us. We recommend you check with GenesisCare UK HR before doing so.

You can also ask the GenesisCare UK HR department to see all personal data and request a correction or removal of your personal data processed by GenesisCare at any time if the information is not accessible via the self-service functionality.

Where does the information come from?

We collect information directly from you in person, over the telephone or on a form you have completed, such as a job application, contractual documentation or timesheet. We also receive information from external sources, for example, from current or previous employers, recruitment agencies, GCUK’s occupational health provider, the Disclosure and Barring Service, or government bodies such as HM Revenue and Customs, the Department for Work and Pensions, or the UK Visas and Immigration.

What information do we collect?

The information that we collect about you includes details such as:

  • Name, address, telephone, email, date of birth and next of kin or emergency contacts for the purposes of uniquely identifying you from other employees and to contact your nominated contacted in the event of a medical emergency
  • Recruitment and employment checks, such as, professional membership, references, proof of identification and right to work in the UK
  • Bank account pension, tax and national insurance details to be able to pay you and fulfil our legal obligations to disclose salary details to HMRC
  • Trade union membership
  • Personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your employment
  • Medical information relevant to your employment, including physical health, mental health and absence history, and whether you have a disability or require any additional support or adjustments for your employment
  • Information relating to your health and safety at work, and any incidents, accidents or dangerous occurrences
  • Professional registration and qualifications, education and training history, appraisals and other performance measures
  • Information relating to employee relations, for example, disciplinary proceedings, grievances and complaints, tribunal claims
  • Information about any current or previous criminal offences. Please contact our HR Department for more details
  • Records of holidays or other periods of absence

Who has access to your information?

Within the GenesisCare UK your personal data may be shared with colleagues who legitimately need the information to carry out their duties such as your line manager and HR staff. The amount of personal information shared will be no more than is necessary.

Your name, job title, department or section, GenesisCare email address and telephone number will appear in the GenesisCare UK internal staff directory. This information may also appear on externally facing webpages and publications.

Your personal data may be accessed by other relevant GenesisCare UK departments such as finance e.g. payroll, but only to the extent necessary to fulfil their respective tasks. GenesisCare Australia HR also has access to this personal data to provide functional support to GenesisCare UK HR.

In exceptional cases, external employees of Workday may have access to your unencrypted personal data to provide technical support and management support of the Workday platform to GenesisCare. GenesisCare has taken the required organisational and contractual measures to ensure that your personal data is only used for the purposes mentioned above.

Other than as mentioned below, we will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to our external payroll providers, pension or health insurance schemes.

Sharing your information with third parties

There are certain limited circumstances when we may need to share your personal and sensitive personal information with third parties outside of GenesisCare UK, for example:

  • pension providers and insurers
  • auditors undertaking investigations

We will also confirm dates and nature of employment to a prospective employer in a reference.

We will only share your information outside of GenesisCare with your consent or if:

  • the disclosure is in the legitimate interests of GenesisCare or the third party to whom the information is being disclosed, or
  • there is a statutory obligation or court order requiring us to share the data, or
  • disclosure is required for the performance of a contract, or
  • disclosure is necessary to protect your vital interest; for example in medical emergency situations, or
  • disclosure is made to assist with prevention or detection of crime, or the apprehension or prosecution of offenders, or
  • disclosure is necessary to assist us with a legal obligation to which we are subject

Contractors and Service Providers engaged by GenesisCare

We may also disclose your information to business partners and third party suppliers working under contract on behalf of GenesisCare to provide specific services on our behalf, for example:

  • payroll processing
  • occupational health services
  • staff benefits
  • IT support
  • HR administrative services

Where this happens, suppliers are bound by strict contractual provisions and safeguards. These companies have no right to use your information except on our behalf for the specified purposes or when required to do so by law.

Sharing your information outside the European Economic Area (EEA)

We will usually only share your personal information with third parties outside of the EEA if you have given your consent. However, there may be circumstances where information is shared without consent. This will only be if one or more of the following applies:

  • it is necessary to protect your vital interests; for example, in medical emergency situations
  • it is necessary for the performance of a contract between you and GenesisCare
  • it is necessary for the purpose of obtaining legal advice or in connection with any legal proceedings
  • the EU has made a finding of adequacy in relation to the country having an adequate level of protection, or
  • measures are in place to ensure your information is adequately protected and your rights respected, for example, by means of a binding contract or agreement.

Where such transfers are made, we have in place safeguards to ensure the security of your data.

How we will secure your personal data

We take privacy seriously and will ensure your personal data is appropriately secured and protected from being accidentally or deliberately compromised. Measures we take to ensure the security include;

  • Establishing a network of individuals across the organisation who are accountable and responsible for information risk management
  • Existence of various organisational measures including policies and procedures, providing regular training in handling personal data lawfully and conducting regular compliance checks
  • Technical measures including lockable rooms, cabinets, individual log in credentials, encryption and secure disposal of confidential waste
  • Ensuring only appropriate individuals have access to relevant and proportionate information about you
  • Carrying out checks on third parties who process personal data on our behalf

How long do we keep your personal data?

Your personal data will be stored according to GenesisCare UK Records Retention Policy.

Your rights and your data

If in the future, we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.

Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data.

You are entitled to:

  • a description of the personal information we hold about you
  • why this information is being collected and processed
  • know to whom your information may be disclosed
  • know where the information came from, if this is not clear
  • have a copy of the information on request – this is called a subject access request
  • ask for any errors or out-of-date information to be corrected

Unless subject to an exemption under the above legislation, you have the following rights with respect to your personal data:

  • The right to request a copy of your personal data which GenesisCare UK holds about you;
  • The right to request that GenesisCare UK corrects any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary for GenesisCare UK to retain such data;
  • Where your consent is relied upon as a processing condition, the right to withdraw your consent to the processing at any time. Any such withdrawal will not affect the lawfulness of the processing before your consent was withdrawn;
  • The right to request that GenesisCare provides you with your personal data and where possible, to transmit that data directly to another data controller, (the right to data portability), where applicable. (This right only applies where the processing is based on consent or is necessary for the performance of a contract with you and in either case the data is processed by automated means).
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, where applicable. (This right only applies where processing is based on legitimate interests; the performance of a task in the public interest; direct marketing and processing for the purposes of scientific/historical research and statistics).
  • The right to lodge a complaint with the Information Commissioners Office if you believe that we have not complied with the requirements of the data protection legislation.

Further Processing

If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.

Identity and contact details of the Data Controller and Data Protection Officer

To exercise all relevant rights, queries or complaints, in the first instance please contact the Information Governance Manager on infogov@genesiscare.co.uk.

If you have any concerns as to how your data is processed you can contact:

The Data Protection Offer at DPO@genesiscare.co.uk
Data Protection Officer
C/O Legal Counsel
GenesisCare Windsor
69, Alma Road
Windsor
SL4 3HD

Or, you can write to these individuals using the address of GenesisCare UK provided in this notice.

Further Information

Independent advice about data protection is available from the UK Information Commissioner’s website at https://ico.org.uk/
You can contact the Information Commissioners Office on 0303 123 1113 or via email
https://ico.org.uk/global/contact-us/email/
or, at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.