Privacy notice for staff

Privacy notice for staff


Genesis Cancer Care UK Ltd (“GenesisCare”) is registered as a Data Controller with the ICO under Z9493925 and has its registered office at Wilson House, Waterberry Drive, Waterlooville, Hampshire PO7 7XX.

GenesisCare will collect, store and process personal data about prospective, current and former staff in order to carry out our business activities and obligations as an employer. We recognise the need to treat staff personal data in a fair, lawful and transparent manner. We have developed this privacy notice to inform you what to expect when we collect and use information about you as. It sets out:

  • What information we collect
  • Why we collect personal information
  • How we look after it
  • How to exercise your rights, and
  • How we meet our legal and other duties under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

When we ask you for information, we will ensure we do so legally and will handle your information in a manner which respects your privacy.

We will:

  • Only ask for what we need, and not collect irrelevant information
  • Protect your information from loss, damage, misuse, unauthorised access or disclosure
  • Make sure we do not keep your information for longer than necessary
  • Keep your personal data accurate and up to date
  • Not disclose your data to third parties without your permission unless required to do so by law

We ask that you:

  • Give us accurate information, and
  • Tell us as soon as possible if there are any changes, such as new contact details, as this helps us to keep your information accurate and up to date.


GenesisCare is the Data Controller for your information unless this Privacy Notice specifically states otherwise.

For the purposes of this privacy notice, ‘staff’ includes employees, bank staff, contractors, agency placements, clinical placements, locums, honorary position holders, secondees, students, trainees, those carrying out work experience and volunteers. A separate privacy notice has been provided for Job Applicants and for Consultants and other External Individuals.

It covers information in all formats including email, audio recordings, photographs, online forms and paper documents.

What information do we collect?

The information that we collect about you includes details such as:

  • Name, address, telephone, email, date of birth and photograph
  • Next of kin
  • Recruitment and employment checks, such as, professional membership, references, proof of identification and right to work in the UK
  • Bank account pension, tax and national insurance details
  • Trade union membership
  • Personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs
  • Medical information relevant to your employment, including physical health, mental health and absence history, and whether you have a disability or require any additional support or adjustments for your employment
  • Information relating to your health and safety at work, and any incidents, accidents or dangerous occurrences
  • Professional registration and qualifications, education and training history, appraisals and other performance measures
  • Information relating to employee relations, for example, disciplinary proceedings, grievances and complaints, tribunal claims
  • Still, moving and audio images
  • Equal opportunities information
  • Information about any current or previous criminal offences
  • Records of holidays or other periods of absence

If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.

Why we collect your personal data

We will keep and use your information to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left.

We will only process your personal data where the activity can be legally justified under UK law. We collect and use personal data about you to support the following purposes:

  • Managing employee communications and relations;
  • Providing compensation and benefits;
  • Administering payroll, statutory and company sick pay, health insurance or life insurance policies;
  • Pre and in-employment screening and monitoring of employees, as a condition of employment, in particular Disclosure and Barring Service and Occupational Health checks.
  • Processing corporate expenses and reimbursements;
  • Managing employee participation in human resources plans and programs;
  • Carrying out obligations under employment contracts;
  • Providing occupational health and wellbeing services to individuals;
  • Managing employee performance;
  • Providing informative and promotional information about the GenesisCare company, team and our services
  • Conducting training and talent development;
  • Facilitating employee relocations and international assignments;
  • Managing employee headcount and office allocation;
  • Managing mergers, acquisitions and divestitures;
  • Managing the employee termination process;
  • Providing facilities such as building access and car parking provision;
  • Managing a safe working environment;
  • Managing information technology and communications systems, such as the corporate email system and company directories;
  • Monitoring access to Centres and the use of GenesisCare IT equipment, network and internet access through usernames and log-ins to ensure adherence to our policies and procedures
  • Tracking how you use our systems to help us make improvements, spot when there’s a technical hiccup, identify cyber training requirements, make it easier to use and for statistical purposes
  • Conducting ethics and disciplinary investigations;
  • Conducting employee surveys;
  • Promoting the GenesisCare brand and
  • Equal opportunities monitoring;
  • to protect your vital interests where you cannot give your consent or your consent cannot reasonably be obtained, for example, in a medical emergency
  • to protect another person’s vital interest and you have unreasonably withheld your consent
  • to meet our statutory obligations or in response to a court order
  • for the purpose of prevention or detection of crime, the apprehension or prosecution of offenders
  • Administering employee grievance, claims and litigation;
  • Managing audit and compliance matters;
  • Management reporting analysis;
  • Complying with applicable legal obligations, including government reporting and specific local law requirements;
  • Administrative purposes during clinical trials
  • to comply with our health and safety and occupational health obligations
  • Using your personal data within our systems and communications so that GenesisCare employees (including employees within other GenesisCare groups), Health Care Professionals, suppliers, patients and any other party we share information with for our business purposes, know who you are and are able to contact you
  • Providing you with appropriate tools, systems and access to support so that you are able to carry out your tasks effectively
  • Support the reporting and investigation of any incidents, near misses, complaints or concerns
  • Supporting your professional development and undertaking reviews of your performance
  • Ensuring you are up to date with statutory and mandatory training and supporting additional training needs as appropriate
  • Sharing personal data to select third parties in connection with any sale, transfer or disposal of our business and
  • Other general human resources purposes


In order to safeguard our staff, doctors, patients and visitors (including all their families), you may be invited to take part in testing for SARS-CoV-2, which will be on-going until all government shielding and social distancing measures due to SARS-CoV-2 have been lifted.

Your nasal and throat swab sample will be couriered to the laboratory for processing. We will supply the laboratory with basic ID details (name and DOB) to allow them to process and track your swab test. Delegated members of the research team, Director of People and Culture and the Director of Operations will have access to your information and the data gathered from the swab. The results of the swab test will be communicated by the research team to the centre leader who will contact you should a positive result be received.  The laboratory, as Data Controller will have its own privacy policy and will protect and retain data in line with data protection legislation and national standards.

Alternatively, a finger prick test which takes a small amount of blood, may also be performed to support weekly testing. This will be collected directly into the point of care (POC) device by delegated staff in the Centre. POC antibody test results will not be shared with you and will only be accessed by the designated tester and the research team as part of the data collection process.

Our lawful basis for processing your personal data and the retention period for the records which we hold about you can be found at Appendix 1.

Who is responsible for the information about you?

GenesisCare as a Data Controller, is responsible for the for the personal data we process about you.

We use two HR management platforms: Workday and ADP payroll administration and mobile services. As the Workday platform provides self-service functionalities, you can complete, correct or remove the personal data you have added to your personal file in Workday.  Please note if you remove certain types of information, this may influence your relationship with us.  We recommend you check with GenesisCare UK HR before doing so.

You can also ask the GenesisCare UK HR department to see all personal data and request a correction or removal of your personal data processed by GenesisCare at any time if the information is not accessible via the self-service functionality.

Where does the information come from?

We collect information directly from you in person, over the telephone or on a form you have completed, such as a job application, contractual documentation or timesheet. We also receive information from external sources, for example, from current or previous employers, recruitment agencies, GCUK’s occupational health provider, the Disclosure and Barring Service, or government bodies such as HM Revenue and Customs, the Department for Work and Pensions, or the UK Visas and Immigration.

Who has access to your information?

Within the GenesisCare, your personal data may be shared with colleagues who legitimately need the information to carry out their duties such as your line manager and HR staff.  The amount of personal information shared will be no more than is necessary.

Your name, job title, department or section, GenesisCare email address and telephone number will appear in the GenesisCare internal staff directory.  This information may also appear on externally facing webpages and publications.

Your personal data may be accessed by other relevant GenesisCare departments such as finance e.g. payroll, but only to the extent necessary to fulfil their respective tasks. GenesisCare Australia HR also has access to this personal data to provide functional support to GenesisCare UK HR.

In exceptional cases, external employees of Workday may have access to your personal data to provide technical support and management support of the Workday platform to GenesisCare. GenesisCare has taken the required organisational and contractual measures to ensure that your personal data is only used for the purposes mentioned above.

If you are involved in supporting media relations, information about you and your role at GenesisCare may appear in our marketing materials, educational resources, presentations or within journalistic articles. These will be published online and within printed media, used in promotional material at events, advertising, broadcasting and educational platforms worldwide. You will always be informed if a media relations activity would benefit from your involvement and you will always have the right to object, if you wish.

Other than as mentioned below, we will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to our external payroll providers, pension or health insurance schemes.

Sharing your information with third parties

There are certain limited circumstances when we may need to share your personal and sensitive personal information with third parties outside of GenesisCare UK, for example:

  • pension providers and insurers
  • auditors undertaking investigations
  • regulators during enquiries, investigations and reporting
  • Where you have given our details as a referee, we will confirm dates and nature of employment to a prospective employer in a reference.

Contractors and Service Providers engaged by GenesisCare

We may also disclose your information to business partners and third-party suppliers working under contract on behalf of GenesisCare to provide specific services on our behalf, for example:

  • payroll processing
  • occupational health services
  • staff benefits
  • IT support
  • HR administrative services

Where this happens, suppliers are bound by strict contractual provisions and safeguards.  These companies have no right to use your information except on our behalf for the specified purposes or when required to do so by law.

How we will secure your personal data

We take privacy seriously and will ensure your personal data is appropriately secured and protected from being accidentally or deliberately compromised.

Those staff members managing the People and Culture function are trained to handle your data correctly and protect your confidentiality and privacy.

We maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your data is never collected or sold for direct marketing purposes.

Technical and organisational measures we take to ensure the security of your information include;

  • An established network of individuals across the organisation who are accountable and responsible for information risk management
  • Existence of various organisational measures including policies and procedures, providing regular training in handling personal data lawfully and conducting regular compliance checks
  • lockable rooms, cabinets, individual log in credentials, encryption and secure disposal of confidential waste
  • Ensuring only appropriate individuals have access to relevant and proportionate information about you
  • Restricted access to electronic systems and folders
  • Carrying out checks on third parties who process personal data on our behalf

International transfers of your personal information

GenesisCare UK is part of a global organisation and we (or third parties acting on our behalf) may store or process personal information within the GenesisCare group of companies for administrative and management purposes. The group companies are located in Spain and Australia and the United States. This processing is based on our own or a third party’s legitimate business interests.

As a global organisation we may engage global suppliers for the provision of services to the GenesisCare Group of companies and such suppliers may also be located outside the UK.

Where we transfer your personal data to a third country or international organisation, we will ensure adequate safeguards and measures are in place to protect your personal data from unlawful use and ensure your fundamental rights are capable of being upheld. We would normally achieve this by:

  • Only transferring personal data to countries deemed capable of providing an adequate level of protection; or
  • Implementing Standard Contractual Clauses; and
  • Adopting technical, organisational and contractual measures, where required, having undertaken a Data Transfer Impact Assessment to ensure that your rights in the country of transfer are essentially equivalent to your rights in the UK.

In certain situations, it may be possible to legitimise the transfer by relying on a derogation. For example, if:

  • You have explicitly consented to the proposed transfer; or
  • The transfer is necessary for the performance of a contract.

In all cases, any transfer of your personal information will be compliant with applicable data protection law. If you would like further information regarding the steps we take to safeguard your personal information when making international transfers, please contact the DPO using the details at the foot of this Privacy Notice.

Your rights and your data

If in the future, if we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information prior to commencing the activity.

Under the General Data Protection Regulation (GDPR), you have a number of rights with regard to your personal data. These are;

  • The right to be informed about how your information is used
  • The right to access your information
  • The right to have your personal data rectified or completed
  • The right to lodge a complaint with the Information Commissioners Office if you believe that we have not complied with the requirements of the data protection legislation.

In certain circumstances, you also have the right to:

  • object to the processing of personal data
  • request a restriction on further processing
  • request your personal data is erased
  • to withdraw your consent (where consent is relied upon)
  • request that we transfer your information you gave us to another organisation

To exercise all relevant rights, queries or complaints, in the first instance please contact the Information Governance Manager on .

If you have any concerns as to how your data is processed you can contact:

The Data Protection Offer at

Data Protection Officer

C/O Legal Counsel

GenesisCare Windsor

69, Alma Road



Or, you can write to these individuals using the address of GenesisCare UK provided in this notice

Further Information

Independent advice about data protection is available from the UK Information Commissioner’s website at

You can contact the Information Commissioners Office on 0303 123 1113 or via email

or, at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.

Revised November 2021