By visiting our site, you agree to our privacy policy regarding cookies, tracking statistics, etc.

Main Menu

Bournemouth East Collaborative

Primary Care Network

  • Policies

Privacy Notice: Employee and Applicant

Covid-19 testing programme for staff

Why is this programme taking place?

A voluntary antibody testing programme has been commissioned by the Department of Health and Social Care (DHSC) for critical workers and their household members who are self-isolating because they are showing symptoms of Covid-19.  DHSC are the data controller for the programme and a copy of their privacy notice can be found here.  Samples are tested in local laboratories and the results are recorded in a database called the local Integrated Clinical Environment (ICE) database.  Access to this database is strictly controlled and audited, and can only be accessed for clinical reasons by clinical staff caring for you.  You do not need to tell us if you test negative.  You will need to tell us if you test positive as you will need to self-isolate, and if it is confirmed that you have contracted Covid-19 through exposure at work, we are obliged to report this to the Health and Safety Executive.

Covid-19 Antibody testing programme for staff

Why is this programme taking place?

A voluntary antibody testing programme for NHS staff is being carried out at the request of NHS England and NHS Improvement to provide information on the prevalence of Covid-19 in different regions of the country and help better understand how the disease spreads.  Covid-19 is a new disease and our understanding of the body’s immune response to it is limited.  The benefit of processing this information is that it will enable understanding of the virus to grow as new scientific evidence and studies emerge.  If you choose to take part in the programme, you will learn whether you have had the virus that causes Covid-19 in the past and whether you have developed antibodies to the virus.  The research into the prevalence of Covid-19 will enable the organisation to develop infection control measures and safe working practices for the future.

What information will be collected?

If you consent to take part in the programme you will be provided with information about the programme and a consent form.  The personal and special category data collected from you on the consent form will include date of the blood test, name, mobile phone number, NHS number, ESR number, job role, ethnic group, health details relating to whether you believe you have had Covid-19, the symptoms experienced and whether you have been hospitalised, and whether you are on any immunosuppressant medication and the drug details if applicable.

Lawful Basis

The lawful basis for the testing and sharing of your personal data with the organisation and your registered GP under GDPR is Article 6(1)(e) processing is necessary in order to protect the vital interests of the data subject or of another natural person.

The additional condition for processing special category health data under GDPR is Article 9(2)(g) processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.

The lawful basis for sharing personal information nationally and with the Covid-19 research programme is the Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 issued by the Secretary of State for Health and Social Care 20/03/20 (COPI)

Who will your information be shared with?

Results will be shared with your employer, your GP, Public Health England and other NHS providers for Public Health and Healthcare purposes.  The anonymised result will also be reported as part of national reporting requirements.  Some or all personal information may also be shared with a Covid-19 research programme to held in the search for a treatment and vaccine for Covid-19.

How long will this information be kept for?

The organisation will keep a record of all staff, whether they have been tested and whether the result was positive.  This documentation will be retained by the organisation for as long as your employee record is retainedIt is possible that this record will become a ‘record of historical importance’ – if this is the case it will be retained by the organisation for 20 years, after which transfer to a local place of deposit will be considered. 

Test results will be shared with your registered GP who will enter them into your health record and retain in accordance with the retention schedule set out in the Records Management Code of Practice for Health and Social Care 2016.

Access to SystmOne

Staff may be asked to work from home during the current Coronavirus Outbreak.  Where this is the case, access to medical records on SystmOne will continue to be monitored and audited in the same way as it is when staff are working on any practice premises.  Staff should only access medical records where there is a legitimate reason to do so.  Any unauthorised access to records will be investigated in accordance with the organisations disciplinary procedures.

Tier One - Overview of Information Held and Shared

This Privacy Notice explains and describes how this organisation uses and manages the information it holds about its staff and job applicants. This includes how the information may be shared with other NHS organisations and with non-NHS organisations, and how the confidentiality of information is maintained.

Our Contact Details:

  • Organisation Name: Bournemouth East Collaborative PCN
  • Address: Harewood Crescent, Littledown,  Bournemouth, BH7 7BU
  • Phone Number: 01202 309 500
  • Data Protection Officers: Emily Hutchings and Helen Williams
  • Data Protection Registration Number: z6754629

We collect and process the following information about job applicants:

  • personal contact details – name, address, contact telephone number(s), email address;
  • employment and education history including your qualifications, skills, experience, membership of any professional bodies, employment references and details of any criminal convictions that you declare;
  • a copy of your passport or similar photographic identification and / or proof of your current address;
  • information about your current level of remuneration, including benefit entitlements;
  • whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process;
  • details about your health including any medical needs or conditions;
  • details of any pre-employment assessments;
  • information about your entitlement to work in the UK;
  • equal opportunities monitoring information including information about your ethnic origin, sexual orientation, health and religion or belief.

The organisation collects this information from a number of sources, such as:

  • application forms;
  • CVs or resumes;
  • copies of your passport and other identity documents;
  • interview notes;

We are required to obtain this information about you to comply with employment law in order to assess your capacity to work, to ensure that equality law is being met through the recruitment process and to comply with any safeguarding laws relating to the role you are applying for. You are under no statutory or contractual obligation to provide data to the organisation during the recruitment process. However, if you do not provide the requested information, the organisation may not be able to process your application.

Your information will be shared internally for the purposes of employment.

This includes:

  • interviewers involved in the recruitment process;
  • GPs and Practice Manager
  • Primary Care Network management team

If you are successful in your application, the organisation will also share your data with former employers and nominated individuals in order to obtain references for you carry out employment background checks with providers, and obtain necessary criminal records checks through the Disclosure and Barring Service (DBS).

We collect and process the following information about our staff:

  • identity details – name, date of birth, gender, nationality, NI number;
  • images (whether captured on CCTV, by photograph or video);
  • personal contact details – address, contact telephone number(s), email address;
  • a copy of your passport or similar photographic identification and / or proof of your current address;
  • details about your marital status, ‘next of kin’ or emergency contact information;
  • employment and education history including your qualifications, job application, employment references, right to work information and details of any criminal convictions that you declare;
  • Disclosure Barring Service (DBS) criminal record check details where necessary for the job role;
  • information about your job role and employment contract including start/leave dates, salary, any changes to your employment contract, working patterns and any requests for flexible working or changes to employment, and location of employment;
  • performance at work documents such as probationary reviews, appraisals and any training or development you have undertaken;
  • grievance and dignity at work records and investigations, disciplinary records and documentation, incident investigations and statements where you are involved;
  • accident records, workplace assessments, access needs assessments and reasonable adjustment documentation;
  • medical and health conditions, immunisation records if appropriate for your role, and details you have provided about protected characteristics;
  • details of time spent working, including overtime, expenses and other claimed payments;
  • details of leave including sick leave, holidays, special leave, sabbaticals and career breaks;
  • pension details, bank account details payroll records and tax status information;
  • details relating to maternity, paternity, shared parental / adoption leave and pay applications for the relevant leave, copies of MATB1 forms/matching certificates and other relevant documentation;
  • details relating to your car insurance and registration for parking and mileage claims;
  • details of trade union membership, and equal opportunities monitoring information including information about your ethnic origin, sexual orientation, health and religion or philosophical belief.

The organisation collects this information from a number of sources, such as:

  • application forms;
  • CVs or resumes;
  • copies of your passport and other identity documents;
  • interview notes and any assessment information;
  • information provided by you or generated about you during the course of your employment.

You are required under your employment contract to provide some information to the employing organisation, such as absences from work, annual leave requirements, information about disciplinary or other matters. Failure to provide this information may mean that you are unable to exercise your statutory rights.

Your information will be shared internally for the purposes of employment. This includes:

  • line managers and Human Resources;
  • finance and payroll;
  • PCN Managers/Practice Manager or team members with responsibility for health and safety including first aid, accidents, incident investigations and complaints.

The PCN shares and receives employee information from a range of organisations or individuals for a variety of lawful purposes, including:

  • NHS Jobs and other employment agencies;
  • Occupational Health;
  • Payroll, HMRC;
  • NHS Pensions;
  • CCTV providers;
  • IT staff;
  • your employer or place of work if you are a secondee or a contractor;
  • any new employer under TUPE or where a reference is requested;
  • disclosure to bodies with statutory investigative powers e.g. the Care Quality Commission, the GMC, the Audit Commission and Health Services Ombudsman;
  • NHS England;
  • emergency services in the case of an emergency.

Employee information is only shared with other organisations when there is a legal basis to do so, such as:

  • where there is a contract in place for data processing;
  • where there is a Court Order or statutory duty to share information;
  • where there is a statutory power to share information;
  • where the employee has given explicit consent to the sharing of information.

Employee information is only shared on a need to know basis when there is a direct reason to do so and is limited to what is necessary for that purpose such as providing employment rights and payroll.

Tier Two - Purposes of Processing, Retention and Your Rights

Purposes of Processing

Our organisation processes employee and job applicant data in order to meet our statutory legal obligations, to provide employment and an employment contract, to check your entitlement to work in the UK and whether you have any criminal convictions, to pay you and manage benefit, pension and insurance entitlements in accordance with your employment contract. We keep records in order to have accurate and up to date information available to ensure that employee rights and renumeration are in place. Our organisation values the concept of data minimisation and uses anonymous or pseudonymised data where possible.

Your data will be stored in a range of different places, including your personnel file, and HR, email and IT systems such as IRIS Payroll system and TeamNet.

We do not process the information of unsuccessful job applicants but your information may be retained for future opportunities. Please see section on retention.

Primary Care Networks (PCNs) are groups of GP Practices working closely together with their local partners for the benefit of patients and the local community. Our PCN comprises Beaufort Road Surgery, Littledown Surgery, Shelley Manor & Holdenhurst Medical Centre and Southbourne Surgery.

Your information (name, clinics and working hours) may be seen by employees from anywhere in our PCN, at any of the Practices, in order for our PCN administrators to be able to view clinics and book appointments.

If you are employed in a Network role additional information may be shared in order that all practices within the network can be satisfied that statutory employment and regulatory requirements have been met. This may include information such as training details, vaccination information, appraisal and revalidation dates, indemnity information and DBS check details.

PCNs are required to make national quarterly returns to NHS England via the primary Care Web Tool system. This is a submission to support a national record of the primary care workforce.

Dorset’s integrated care system, known locally as ‘Our Dorset’ is a partnership of local organisations (health and local councils) working together to improve services to meet the needs of local people and deliver better outcomes. Our Dorset have a Dorset Intelligence and Insight (DiiS) Business Intelligence platform which uses pseudonymised data to reveal important insights into local and community healthcare, in order to inform the future of healthcare for communities. In order to effectively manage new services, pseudonymised employee information is also shared into the DiiS in order to assess the workforce requirements.

Other ways in which Staff or Applicant information may be used:

If you are involved in an incident, for example you slip and fall whilst in the Practice, your information may be included in the incident report and used as part of the investigation process.

We record all incoming telephone calls to the Practices to assist with training, for medic-legal purposes and for quality assurance and responding to complaints. Recordings of telephone calls will only be accessed where necessary by the PCN/Practice management team. We store recordings in accordance with the Records Management Code of Practice for Health and Social Care 2016, after which they are deleted.

If a complaint or query is raised with the PCN which requires your involvement, we may obtain statements from you and/or conduct interviews with you and hold that information within a secure database in order to ensure that the complaint or query can be answered appropriately. Details of complaints or queries will not be stored within your employment records.

We may also process data for the following secondary uses:

  • Risk stratification and population health management: we use the services of analytics staff in Dorset Healthcare as part of the Intelligent Working Programme (IWP) to pseudonymise and extract data and transfer it to analytics staff at Optum for linking with Secondary Uses data with the aim of improving short term and medium term health outcomes for local populations through the application of Population Health Management. Pseudonymised patient data and staffing and vacancy levels are used to allow Dorset the opportunity to plan and sufficiently staff future services.
  • National archiving: records made by an NHS organisation are Public Records in accordance with Schedule 1 of the Public Records Act 1958. The Public Records Act 1958 requires organisations to select core records for permanent preservation at the relevant Place of Deposit (PoD) appointed by the Secretary of State for Culture, Media and Sport. PoDs are usually public archive services provided by the relevant local authority. Records no longer required for current service provision may be temporarily retained pending transfer to a PoD and records containing sensitive personal data should not normally be transferred early.
  • Improving Services: pseudonymised workforce information is sometimes used to help assess the workforce requirements when identifying areas for improvement in the services provided to our communities.

These secondary uses of data help the NHS to meet our statutory obligations under the Public Records Act 1958, and to plan and manage health services for the population of Dorset.

The PCN is the data controller of the data we gather, hold and create about you. We engage with data processors who may process your data. All data processors are held to strict contractual obligations which specify the limitations, any access arrangements, storage and retention of data on our behalf as well as strict confidentiality and information handling clauses. All data processors are also held to high information security standards and are asked to provide evidence of how they meet data protection legislation. These processors may be software suppliers or specialist and support services.

The PCN does not routinely transfer data outside of the European Economic Area and will assess any adhoc transfers against adequacy (GDPR Article 45) and appropriateness of safeguards and data protection (GDPR Article 46) of the country of transfer.

The PCN works to the Records Management Code of Practice for Health and Social Care 2016 Retention Schedule: https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016.

The law gives you certain rights in relation to the personal information that we hold about you:

1. Right of access to your information

You have the right to request a copy of the personal information that we hold about you by contacting the PCN Operations Manager. We will provide this information, within one month, free of charge. We can restrict disclosure of your information if we feel that granting access would disclose information likely to cause serious harm to your physical/mental health, or that of another individual, and you do not already know the information. Or where access would disclose information about/provided by a third party who could be identified from the information and who has not consented for it to be released.

2. Right to restrict or object to the use of your information

We cannot share your information with anyone else for a purpose that is not directly related to your employment or a statutory requirement without your consent. If you wish to restrict or object to the use of your information, you should contact our Operations Manager.

3. Right to have incorrect information corrected

If you feel that the information we hold about you is incorrect, you have the right to ask for it to be corrected. This applies to matters of fact, not opinion. Incorrect contact information will be corrected immediately.

4. Right to data portability

This right only applies where the original processing is automated and is based on your consent or fulfilment of a contract that you are party to. In the spirit of the Regulation, you can request that your personal information is transferred in an electronic or other form to another organisation.

5. Right to appropriate decision making

The right to appropriate decision making applies to automated processing, including profiling, which produces legal outcomes, or that significantly affects you. The PCN has not identified any automated processing which is solely automated and without human involvement in the outcome of the decision.

6. Right to erasure

This is sometimes known as/the right to be forgotten’, but it is not an absolute right. You cannot ask for this right in relation to records which the PCN is legally bound to retain. The PCN has an obligation not to retain information for longer than is necessary and to dispose of information securely.

7. Right to lodge a complaint

If you are dissatisfied with the handling of your personal information, you have the right to make a complaint. In the first instance, formal complaints should be addressed to the PCN Operations Manager.

You also have the right to make a complaint to the Information Commissioner’s Office (the independent regulator of data protection) by using their online submission form https://ico.org.uk/global/contact-us/  or by writing to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF

Tier Three - The Law Explained

There are six core principles to data protection legislation:

  1. Personal data must be processed lawfully, fairly and transparently (lawfulness, fairness and transparency).
  2. Personal data must be collected for specific, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes (purpose limitation).
  3. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).
  4. Personal data must be accurate and up to date (accuracy).
  5. Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation).
  6. Personal data is processed in a manner that ensures appropriate Security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).

The PCN relies on the following lawful bases for processing your personal data under the GDPR and for processing information about staff criminal convictions and offences:

  • Article 6(1)(b): “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
  • Article 6(1)(c): “processing is necessary for compliance with a legal obligation to which the controller is subject”
  • Article 6(1)(e): “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

The PCN must operate in accordance with UK legislation such as the National Health Service Act 2006, the Health and Social Care (Safety and Quality) Act 2015, Equality Act 2010, Health and Safety at Work Act 1974, Transfer of Undertakings (Protection of Employment) Regulations 2006, the Crime and Disorder Act 1998, Terrorism Act(s), Children’s Act(s) 1989 and 2004, Mental Health Act 1983 and 2007.

Where the information we process is special category data, the additional bases that we rely on for processing under the GDPR are:

  • Article 9(2)(b): “Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.”
  • Article 9(2)(f): “Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.”
  • Article 9(2)(h): “Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems and services.”
  • Article 9(2)(i): “Processing is necessary for reasons of public interest in the areas of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.”
  • Article 9(2)(j): “Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”

Where data has been anonymised it is not considered to be personal data and the General Data Protection Regulation 2016/679 and Data Protection Act 2018 will not apply. 

Our organisation upholds transparency and fairness through the use of this privacy notice.  We uphold data minimisation techniques like pseudonymisation and anonymisation where possible to protect data and ensure that the purpose of processing is relevant and adequate.  The PCN holds data security in the highest importance; our systems have role-based access and clinical systems are auditable to ensure transparency in the use of systems by staff.  Devices are encrypted and all our staff undertake annual mandatory data security training.  Where we hold paper records, these are held securely in a locked filing cabinet in a locked office.  Internal policies and controls are in place to protect your information. 

Download the full document here
Go back
Scroll to Top