St Margaret’s Hospice Care collects and processes personal information relating to job applicants, staff and volunteers to manage the employment and volunteer relationship. We are committed to being transparent about how we collect and use your information and to meeting our data protection obligations.
This Privacy Notice explains what information we collect about you, how we use it, store it, including how long we retain it and with whom and for what purpose we may share it.
Who are we?
St Margaret’s Hospice Care has been at the heart of Somerset’s community for over 40 years, delivering high quality, responsive and compassionate care to patients and their families and friends facing a life-limiting illness.
We are a charity (reg. charity no. 279473), governed and regulated by the following bodies: The Fundraising Regulator, Care Quality Commission, the Charity Commission and Gambling Commission. St Margaret’s also has the following subsidiaries: St Margaret’s Hospice Retail Ltd (Company Registration Number 7204857), Hospice Funerals Trading Ltd (Company Registration Number 10953084). We are also registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z5135098.
What personal information do we collect about you?
We collect and processes a range of information about you. This may include your:
- name, address and contact details, including email address and phone number, date of birth and gender
- qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation
- marital status, next of kin, dependants and emergency contacts
- nationality and entitlement to work in the UK
- medical or health conditions, including any disability for which we need to make reasonable adjustments
- equal opportunities monitoring information, including ethnic origin, sexual orientation, health and religion or belief.
Additional information for employees and volunteers may include your:
- contract terms and conditions
- remuneration, including entitlement to benefits such as pensions or insurance cover
- bank account and national insurance number
- criminal record
- schedule and attendance at work (days of work and working hours)
- periods of leave taken, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave
- disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
- performance assessments, including appraisals, performance reviews and ratings, training undertaken, performance improvement plans and related correspondence
How do we collect / obtain your personal information?
We collect information in a variety of ways through:
- application forms or CVs
- identity documents such as your driving licence, birth certificate etc.
- forms completed by you during your application and at the start or during employment or volunteer role
- correspondence with you, interviews, meetings or other assessments.
In some cases we collect information about you from third parties, such as references supplied by former employers or character referees and information from criminal records checks permitted by law.
Information is stored in a range of different places, such as your personnel file, our HR management systems and in IT systems (including the email system).
Why do we collect and process your personal information?
Your information is used for a number of purposes including to:
- Manage the recruitment process, assess and confirm a candidate's suitability and decide to whom to offer a job
- Respond to and defend against legal claims
- Make reasonable adjustments to the recruitment process for candidates who have a disability, to carry out our obligations and exercise specific rights in relation to employment
- Run recruitment and promotion processes
- Maintain accurate and up-to-date records and contact details (including details of who to contact in the event of an emergency), and records of contractual and statutory rights
- Operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace
- Operate and keep a record of performance and related processes, to plan for career development, and for succession planning and workforce management purposes
- Obtain occupational health advice, to ensure we comply with duties in relation to individuals with disabilities, meet obligations under health and safety law and ensure pay or other benefits are received
- Operate and keep a record of types of leave (including sickness absence, maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, ensure we comply with duties in relation to leave entitlement, to ensure pay or other benefits are received
- Ensure effective general HR and business administration
- Provide references on request for current or former employees and volunteers
- Respond to and defend against legal claims
- Maintain and promote equality in the workplace.
What is our legal basis for processing your information?
We will only use your information where we have a legal basis to do so. The legal basis we rely on to process your information to enter into an employment or volunteer contract with you is ‘contract'.
Contract – Article 6 of the GDPR states ‘the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract’ such as, when you submit an application for a job, agree to undertake a volunteer role or to pay you in accordance with your contract and to administer allowances and pension entitlements.
We process ‘special category’ information, this is where ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards’. Such as:
- health or medical conditions to carry out employment law obligations, if you have a disabilities and for health and safety purposes
- ethnic origin, sexual orientation, health or religion or belief, for equal opportunities monitoring.
Are there other legal grounds that we can process your personal information under?
While contact is our primary legal basis for processing your personal information, other legal grounds we may use to process your personal information includes:
Legal obligation - Article 6 of the GDPR states ‘the processing is necessary for you to comply with the law (not including contractual obligations), such as, to check an employee's entitlement to work in the UK, deduct tax, enable you to take periods of leave and comply with health and safety laws with our duty of care whilst you are on our premises. For certain positions we have to carry out criminal records checks to ensure you are permitted to undertake the role.
Consent - Article 6 of the GDPR states ‘the individual has given clear consent for you to process their personal data for a specific purpose’. Such as, equal opportunities monitoring information. Information used for this purpose is anonymised and is collected with the express consent of the individual which can be withdrawn at any time. You can decide whether or not to provide such information and there are no consequences of failing to do so.
In exceptional circumstances we may process your information when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. This includes legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. We will always do our best to notify you of this sharing.
In extreme situations, such as an accident or medical emergency, we may share your personal details with the emergency services if it is essential for the preservation of life (yours or another persons’) for us to do so. This is the ‘vital interest’ ground for using your personal information. After the emergency, we will always try to inform you about how we had to use your information in that extreme situation.
What would happen if we did not collect and process your personal information?
You would not be able to undertake your role safely and efficiently and we would not be able to comply with our legal obligations if we did not collect this information.
You have some obligations under your contract to provide us with information. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide us with information in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the information may mean that you are unable to exercise your statutory rights.
How long do we retain your personal information for?
We hold your information for the duration of your employment or volunteering role. After the end of your contract, employment information is retained for a minimum of 15 years, volunteer information is retained for minimum of 3 years after leaving and only accessed for reference request, subject access requests, or personal injury claims.
Applicant information is retained for a minimum of 6 months.
Records are removed or archived confidentially once their retention period has been met and we have made the decision that the records are no longer required. For more information please see the Records and Document Management Policy which sets out the appropriate length of time each type of record is retained.
Removed electronic records may still exist within an organisation but will be put ‘beyond use’. Beyond use means it has been deleted from systems used by the organisation with no intent to use it again, however that it may exist in some form in the electronic ether, such as IT service backups or archives.
Who do we share your personal information with and why?
Your information is shared internally on a need to know basis, including the HR and recruitment team (including payroll), your line manager, managers in the area you work, on-call managers and IT staff if access to the information is necessary for performance of their roles.
We share your information with third parties to obtain references from employers, employment background checks from third-party providers, criminal records checks from the Disclosure and Barring Service and registration of external training schemes. We may also share your information with third parties in the context of a sale of some or all of our business. In those circumstances the information will be subject to confidentiality arrangements.
We also share your information with third parties that process information on our behalf, in connection with payroll, provision of benefits (such as pension, childcare vouchers, cycle to work) and occupational health services. We have information sharing agreements or arrangements in place with these organisation to ensure your information is kept securely.
How do we maintain your records?
We hold and process your information in accordance with the Data Protection Act 2018. In addition, everyone working for St Margaret’s Hospice Care comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We take the security of your information seriously. We have internal policies and controls in place to ensure your information is not lost, accidentally destroyed, misused or disclosed, and is only accessed by individuals in the performance of their duties.
Information is retained in secure electronic and paper records and access is restricted to only those who need to know.
Use of email or messaging service - Some services provide the option to communicate via email or messaging service. Please be aware that the hospice cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk.
What are your rights?
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 give you certain rights over your information and how we use it. This includes:
- the right to be informed about the information we hold about you
- the right to have access to the information we hold on you, known as a data subject access request
- the right to request the correction of inaccurate or incomplete information in our records
- the right to restrict our processing of your personal information in certain circumstances.
- the right to request that your information be deleted or removed where there is no need for us to continue processing it in certain circumstances (we may need to retain your information for a specified period to comply with our legal obligations)
- the right to obtain a copy of your personal information in a portable format so you can reuse it in certain circumstances
- the right to object to your information being used in certain circumstances, such as, for marketing purposes.
We will consider each request in accordance with all applicable Data protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be excessive in nature. All requests will be actioned and completed at the latest within one calendar month of receipt. Where a request is noted as complex, then this period may be extended by up to a further two calendar months. If this is the case we will inform you within the first month that this has been determined and the basis on which the decision has been made.
How can I raise a complaint, exercise a right or ask a question on how my information is used
Please contact us if you have any questions about this privacy notice or the information we hold about you. Contact our Data Protection Officer via email@example.com or call 01823 333822, or write to St Margaret's Hospice, Heron Drive, Taunton, TA1 5HA.
If you wish to raise a complaint on how we have handled your personal information, you can contact our Data Protection Officer who will investigate the matter.
How to contact the Information Commissioners Office?
The Information Commissioner’s Office (ICO) is the body that regulates organisations, including charities under Data Protection legislation.
If you believe your privacy rights have been violated, you may file a complaint with us. If you are not satisfied with our response or believe we are not processing your personal information in accordance with the law you can complain to the ICO at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national)