Privacy notice for staff
We are committed to respecting and protecting your privacy whenever we use your personal data.
GenesisCare UK is a trading name of Genesis Cancer Care UK Limited. For the purposes of this privacy notice reference to GenesisCare UK includes the GenesisCare UK subsidiaries.
The registered office for GenesisCare and its subsidiaries is Wilson House, Waterberry Drive, Waterlooville, Hampshire, PO7 7XX. Other registration detail is as follows:
|Company name||Company registration number||Information Comissioners Office registration number|
|Berkshire Health Limited (BHL)||07238700||Z274620|
|Birmingham Prostate Clinic (BPC)||05509497||ZA441424|
Genesis Specialist Care Finance UK Limited and Genesis Specialist Care Holding UK Limited are salary processing subsidiaries.
This Privacy Notice
The following privacy notice sets out what information about you GenesisCare UK collects, how that information may be used, the lawful basis for processing and who it will be shared with. We also explain for how long it will be retained, how we will secure it, and your legal rights.
This Privacy Notice applies to the following groups of individuals (both current and former):
- Other persons working for GenesisCare e.g. agency, bank, fixed term contract
- Volunteers, trainees and those carrying out work experience
- Secondees (please read the specific section below).
Separate privacy notices have been provided for Job Applicants, for Consultants and Other Clinical External Individuals and for Suppliers and Service Providers (non-clinical).
How we obtain your information
GenesisCare UK will obtain personal data about you directly from you or through a third party whom you have nominated to provide us with information. For example we may collect information:
- Directly from you
- From your current employer (e.g. in a secondment or TUPE scenario)
- From security clearance providers
- From occupational health and other health providers
- From pension administrators and other government departments, e.g. HM Revenue and Customs, the Department for Work and Pensions, the UK Visas and Immigration
- From your trade union or other third party which you may have chosen to represent you
- From providers of staff benefits
- On CCTV images.
The information we collect
We will only collect, use and store your personal and special category data where the processing can be legally justified under UK law.
Personal data means any information relating to an identifiable person who can be directly or indirectly identified, for example identified by a name, a reference number, address, date of birth, etc.
Special category personal data is information about an individual’s racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, sex life or sexual orientation and health, including genetic and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to the processing of such data.
The table below describes the data we handle and what we need it for. It also explains the basis we can rely on to request and retain data about you as well as who it will be shared with.
Sometimes, we may be required to share personal data to comply with a statutory obligation, a court order or for the prevention or detection of a crime or apprehension of an offender.
If you are seconded to another organisation (host employer) a robust secondment agreement between the two organisations will be in place, as well as an agreement between GenesisCare UK or its subsidiary and yourself.
It will be necessary to provide and collect information in order to fulfil the obligations required of the secondment agreement and the following table below describes the data we will handle.
Seconded to another organisation
Seconded from your employer
If you are seconded to GenesisCare UK or its subsidiary you will receive a relevant privacy notice from your employer which will detail the information provided to us. We will collect and share data with your employer as follows:
Workday is a system which holds details of your application to work at GenesisCare UK as well as your employment record. It provides self-service functionalities so that you can complete and/or correct the personal data you have added to your personal file in the system. Please note that if you remove certain types of information this may have an effect on your relationship with us. We recommend you check with GenesisCare UK P&C Team before doing so.
The P&C Team also hold an electronic personnel file for each staff member in a secure limited access folder on the GenesisCare server. This file is for more sensitive data as well as data that cannot currently be held on Workday, such as correspondence and personal development plans.
Over time it is planned that Workday will store the majority of your personnel file.
You can ask the P&C Team to see all personal data and request a correction or completion of your personal data processed by GenesisCare at any time if the information is not accessible via the self-service functionality.
International transfers of your personal data
GenesisCare UK is part of a global organisation and we (or third parties acting on our behalf) may store or process personal data within the GenesisCare group of companies for administrative and management purposes. The group companies are located in Spain and Australia and the United States. This processing is based on our own or a third party’s legitimate business interests.
As a global organisation we may engage global suppliers for the provision of services to the GenesisCare Group of companies and such suppliers may also be located outside the UK.
Where we transfer your personal data to a third country or international organisation, we will ensure adequate safeguards and measures are in place to protect your personal data from unlawful use and ensure your fundamental rights are capable of being upheld. We would normally achieve this by:
- Only transferring personal data to countries deemed capable of providing an adequate level of protection; or
- Implementing Standard Contractual Clauses; and
- Adopting technical, organisational and contractual measures, where required, having undertaken a Data Transfer Impact Assessment to ensure that your rights in the country of transfer are essentially equivalent to your rights in the UK.
In certain situations, it may be possible to legitimise the transfer by relying on a derogation. For example, if:
- You have explicitly consented to the proposed transfer; or
- The transfer is necessary for the performance of a contract.
In all cases any transfer of your personal data will be compliant with applicable data protection law. If you would like further information regarding the steps we take to safeguard your personal data when making international transfers, please contact the DPO, details at the end of this Privacy Notice.
Data Protection Designation
The data protection designation (e.g. controller, joint controller, processor) will depend on the circumstances and may change if relationships alter. Please seek further information from the Data Protection Officer (DPO) if required, details at the end of this privacy notice.
The controller of your personal data will generally be GenesisCare UK or its applicable subsidiary.
Where we share information with third party suppliers working under our instructions (i.e. suppliers who act as processors of the data we share for the purposes outlined in the table), we ensure that strict contractual arrangements and safeguards are in place. These companies have no right to use your information except on our behalf for the specified purposes or when required to do so by law.
In certain circumstances GenesisCare and a third party will be a joint controller of your data. This is where GenesisCare and a third party will jointly determine the means and purposes of the processing. Examples of where joint controllership may occur are where your data is used for:
- Training, education
- Where you have agreed to take part in a publication or website article
- Research activities where GenesisCare UK has determined the means and the purposes
- Management of our subsidiary and affiliated entities and related activities (e.g. provision of systems, services and support).
We will secure your information by:
- Establishing a network of individuals across the organisation who are accountable and responsible for information risk management
- Existence of various organisational measures including policies and procedures, providing regular training in handling personal data lawfully and conducting regular compliance checks
- Technical measures including lockable rooms, cabinets, individual log in credentials, encryption and secure disposal of confidential waste
- Ensuring only appropriate individuals have access to relevant and proportionate information about you
- Carrying out checks on third parties who process personal data on our behalf.
We retain records in accordance with our Records Lifecycle and Retention Procedure which is based on legal and best practice requirements. When the retention period expires the record will be securely destroyed. The following are examples:
Rights of access, correction, erasure, and restriction
Under data protection law you have a number of specific rights in relation to the personal data that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting the DPO, details at the end of this privacy notice and without adversely affecting you.
We will not usually charge for handling a request to exercise your rights. If we cannot comply with your request to exercise your rights we will usually tell you why. Unless there are grounds for extending the statutory deadline we will respond within one month of receipt of a Rights request. If the data relates to health we may be required to apply special rules to comply with data protection legislation.
1. The right to be informed – This is fulfilled through our privacy notices.
2. The right of access to your personal data – You have the right to request details and a copy of the personal data we hold about you and details about how we use it. We must confirm whether we have personal data about you, and we also need to provide you with a copy of your personal data. We will usually provide you with your personal data in writing unless you request otherwise. If you have made the request electronically (e.g. by email) the personal data will be provided to you electronically where possible. In some cases we may not be able to fully comply with your request, for example if your request involves another person’s personal data and it would not be fair to that person to provide it to you.
3. The right to rectification – You can require that incomplete information is completed, or incorrect information is corrected. This ensures your information is accurate and up-to-date.
4. The right to erasure – This is also known as the right to be forgotten. In some circumstances, you have the right to request that we delete the personal data we hold about you. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If we have disclosed the personal data in question to third parties, we will inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. However there are exceptions to this right. For example, we can refuse to delete your personal data if we need to keep for tasks which are in the public interest, or for establishing, exercising or defending legal claims. If you make such a request and we comply with it, please be aware that we will retain a note of your name, the request made and the date we complied with it.
5. The right to restriction of processing – In some circumstances you have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it other than in relation to the establishment, exercise or defence of legal claims or for reasons of important public interest. We are able to retain just enough information about you to ensure that the restriction is respected in future.
6. The right to data portability – Where you have provided the information to us, and where the processing is being carried out by automated means and based on your consent or pursuant to the performance of a contract with you, you have the right to obtain the information that GenesisCare UK processes about you and use it for your own purposes. This means you have the right to receive the personal data or where it is technically feasible, have the information transferred to an individual or organisation of your choice, and the information must be provided by us in an electronic format.
7. The right to object – You have the right to object to processing based on our legitimate business interests (including profiling), direct marketing (including profiling) and processing for purposes of scientific or historical research or statistical research purposes. The objection must be on grounds relating to your particular situation.
8. The right not to be subject to automated decisions – This relates to decisions that are made about you by computer alone that have a legal or other significant effect on you. GenesisCare UK does not carry out automated decision-making in relation to the processing of your data. In the event that our policy in this respect changes, we shall update this privacy notice.
9. Your right to withdraw consent – In some cases to comply with data protection legislation we need your consent in order to use your personal data. Where we rely on this, you have the right to withdraw your consent to our continuing and further use of your personal data. You can do this by contacting the DPO, details below.
Information Commissioners Office
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, for example if you are unhappy with the way that we have dealt with a request from you to exercise your rights, or if you think we have not complied with our legal obligations.
Whilst you are not obliged to do so, we would appreciate you making us aware of any issue prior to notifying the ICO and giving us the opportunity to respond. Please contact the DPO, details below.
Making a complaint will not affect any other legal rights or remedies that you have.
Questions and queries
If you have any queries or would like to exercise your rights or to establish whether any rights apply to you, please contact: the GenesisCare Information Governance Manager at firstname.lastname@example.org, or at GenesisCare, 69 Alma Rd, Windsor SL4 3HD. Telephone 01753 418444
If you have any questions about this privacy notice or how we handle your personal data please contact the relevant DPO:
Revised March 2023