Data Protection and Privacy
Privacy Notice(How Suffolk County Council HR uses employee and job applicant information)
The categories we collect, process, hold and share include:
- personal information (such as name, address, next of kin and bank details)
- vehicle information (such as make, model and registration)
- characteristics (such as ethnicity, sexual orientation and religion / belief)
- qualification and skills information (such as qualification dates)
- previous employment records (such as date of employment and reasons for leaving)
- sickness and medical information (such as periods of and reasons for absence and occupational health referrals and reports)
- performance information (such as PDR objectives and outcomes / 9 box grid placement)
- employee relations information (such as disciplinary, grievance and capability casework)
Why we collect and use this information
We use employee / applicant data to:
- enable us to carry out specific functions for which we are responsible
- running payroll (including paying mileage and expenses, SSP, SMP)
- statutory reporting
- maintaining employment records
- produce anonymous statistical information (such as characteristics of employees and / or applicants)
- longlist, shortlist and make decisions about applicants suitability to undertake a specific role
- produce anonymous reporting about the organisation (such as absence reporting)
- manage sickness, disciplinary, grievance, capability, conduct and other employee relations casework
- support occupational health referrals
- provide staff benefits to employees
- undertake safeguarding and pre-employment checks (such as Disclosure and Barring Service (DBS) check)
- undertake staff surveys
The lawful basis on which we use this information
We have a lawful basis to collect, process, hold and share this information, as detailed in paragraphs 1 b) and 1 c) of Article 6 of the General Data Protection Regulation (GDPR), as detailed below:
b) processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
Collecting this information
Whilst the majority of employee / applicant information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with data protection legislation, we will inform you whether you are required to provide certain information to us or if you have a choice in this.
Storing this information
We hold your data for the following periods:
- Applicant data is held for one year following an unsuccessful job application
- General employee data (personal, vehicle, characteristics, qualification and skills), previous employment records and performance is stored for the duration of the individual’s employment, plus three years, except for employee data for individuals working with children which is stored for the duration of the individual’s employment, plus 45 years
- Absence data and medical records are stored for the current year, plus two years, except for health surveillance records which are kept for up to 40 or 50 years, depending on which type of record they are.
- Employee relations case files (disciplinary, grievance, capability and conduct) are stored for two years, unless a different retention period is identified as part of the outcome of the case
Who we share this information with
We routinely share employee / applicant information with:
- the Office of National Statistics (ONS) on a statutory basis under section 1 of Statistics of Trade Act 1947
- Her Majesty’s Revenue and Customs (HMRC) on a statutory basis under
- the Income Tax (Pay As You Earn) Regulations 2003 (SI 2003/2682);
- the Social Security (Contributions) Regulations 2001 (SI 2001/1004); and
- the Income Tax (Construction Industry Scheme) Regulations 2005 (SI 2005/2045)
- Duradiamond Healthcare, our Occupational Health provider, on a contractual basis as part of pre-employement checks, management or ill health retirement referrals detailed in our Sickness Absence policy
- Sodexo Holdings Limited, our staff benefits provider, on a contractual basis to provide staff benefits to employees
- Tuskerdirect Limited, a staff benefit provider, on a contractual basis to provide a salary sacrifice car scheme to employees
- BMG Research, an independent research agency, on a contractual basis to provide our staff survey
- Kent County Council, our criminal records check provider, on a statutory and contractual basis to undertake DBS checks on our behalf
- Learning Pool Limited, our e-learning provider, on a contractual basis to allow access to our e-learning platform
We will share employee information with third parties as part of Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE), the data provided will be in two parts
- Anonomised data detailing staff numbers, staff absences, numbers and kinds of employee relations cases. This data forms part of the initial due dilliegence relating to any TUPE transfer and will be shared with any third party with a specific interest in transferring staff as part of a commercial or procurement project
- Specific “employee liability information”, including but not limited to:
- the identity of the employees who will transfer;
- the age of those employees;
- information contained in the ‘statements of employment particulars’ for those employees;
- information relating to any collective agreements which apply to those employees;
- instances of any disciplinary action within the preceding two years taken by the transferor in respect of those employees in circumstances where the Acas Code of Practice on discipline and grievance applies;
- instances of any grievances raised by those employees within the preceding two years in circumstances where the Acas Code of Practice on discipline and grievance applies; and
- instances of any legal actions taken by those employees against the transferor in the previous two years, and instances of potential legal actions which may be brought by those employees where the transferor has reasonable grounds to believe such actions might occur.
- This data forms part of the due diligence relating to a TUPE transfer and will be shared with the third party identified as the future employers of staff after the transfer, following or as part of a commercial or procurement activity.
In both cases the information will be provided as part of our statutory obligations detailed in Regulation 11 of the Transfer of Undertakings (Protection of Employment) Regulations 2006. Other data sets may voluntarily be provided as part of the TUPE process.
Why we share this information
We share employee / applicant data with the third parties detailed above in order to meet statutory or contractual requirements.
We do not share information about individuals without consent unless the law and our policies allow us to do so.
Data collection requirements
To find out more about the data collection requirements placed on us by the ONS and HMRC go to:
Both the ONS and HMRC may share information about employees / applicants for
- conducting research or analysis
- producing statistics
- providing information, advice or guidance
The ONS and HMRC have robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data.
Decisions on whether Human Resources releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested: and
- the arrangements in place to store and handle the data
To be granted access to employee / applicant information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
Requesting access to your personal data
Under data protection legislation, individuals have the right to request access to information about them that we hold. To make a request for your personal information contact Data.Protection@suffolk.gov.uk.
You also have other rights regarding your personal data which are set out in SCC’s corporate Privacy Notice, which can be seen here: https://www.suffolk.gov.uk/about/privacy-and-data-protection/
If you have a concern about the way we are collecting or using your personal data, please contact us in the first instance, by writing to the Data Protection Manager at Constantine House, 5 Constantine Road, Ipswich IP1 2BX or by e-mailing firstname.lastname@example.org.
Alternatively, you can contact the or the Information Commissioner’s Office at https://ico.org.uk/concerns/.
SCC’s corporate privacy notice is available at https://www.suffolk.gov.uk/about/privacy-and- data-protection/. If you would like further information about this privacy notice, please contact: email@example.com
We process data submitted through Suffolk Jobs Direct and recorded on iTrent on behalf of our partners; Mid Suffolk District Council, Babergh District Council, Suffolk Coastal District Council, Waveney District Council, South Norfolk Council and Schools' Choice. For details of their privacy statements, please click on the links below:
- https://www.midsuffolk.gov.uk/the-council/your-right-to-information/data-protection- act/