1 Council Contact Details
1.1 West Northamptonshire Council
One Angel Square
Tel: 0300 126 7000
1.2 This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
It applies to all employees, workers and contractors.
The Council is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
The Council collects and processes personal data relating to its employees to manage the employment relationship (often referred to as the performance of a contract and/or compliance with a legal obligation). The Council is committed to being transparent about how it collects and uses your data and to meeting its Data Protection obligations.
2 Information that we hold
2.1 The Council collects and processes a range of information about you.
- Your name, address and contact details, including email address and telephone number, date of birth and gender
- The terms and conditions of your employment
- Employment references and the results of any pre-employment screening or recruitment paperwork
- Details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the Council
- Information about your pay, remuneration and pension (where applicable)
- Details of your bank or building society account and national insurance number
- Information about your marital status, next of kin, dependants and emergency contacts
- Information about your nationality and entitlement to work in the UK
- Information about your criminal record (where applicable)
- Photographs used for staff passes, building access etc.
- Details of your schedule (days of work and working hours) and attendance at work
- Details of periods of leave taken by you such as holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave
- Details of any disciplinary, grievance or any other procedures in which you have been involved, including any warnings issued to you and related correspondence
- Assessments of your performance, including appraisals, performance reviews, training you have participated in, performance improvement plans and related correspondence
- Health and Safety data eg Accident Reports, Risk Assessments, vehicle licence plate, RIDDORs etc.
- Information about medical or health conditions, including whether or not you have a disability for which the Council needs to make reasonable adjustments
- Details of trade union membership and
- Equal opportunities monitoring information, including information about your ethnic origin, age, gender, sexual orientation, disability and religion or belief.
Emergency Contact Numbers
We will ask you to provide emergency contact numbers so that we are able to contact your next of kin/appointee in the case of an emergency. This information will only be used for that specific purpose. In providing this information, you do so with the clear and general understanding that you have obtained the prior consent of the named third party, unless it is not reasonable for you to do so.
It is your responsibility to inform the Council immediately if this information is subject to change; to enable us to keep our records updated and allow us to administer for such an occurrence on your behalf.
2.2 Further guidance is available on the Council’s website and internal intranet pages.
3 How the information is obtained
3.1 The Council collects this information in a variety of ways. For example, data is collected through application forms, obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment; from correspondence with you; or through interviews, meetings or other assessments.
3.2 There are a number of reasons why we need to collect and use your personal information. Generally, we collect and use personal information where:
- It is necessary to meet our legal obligations
- You have requested a service from us
- You have entered into a contract with us
- It is necessary to protect public health
- It is required for the defense of legal cases
- It is needed for employment purposes
- You, or your legal representative, have given us your consent
- You have made your information publicly available
- It is necessary for law enforcement reasons and to prevent, and detect fraud or crime
- We need to protect individuals from harm (in an emergency); or
- It is necessary for archiving, research, or statistical purposes. For these purposes your data would be used in a pseudonymised format (name and other identifying information replaced with a unique number).
4 What we do with the information
4.1 The Council needs to process data to enter into an employment contract with you and to meet its obligations under your employment contract. For example, it needs to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer pension entitlements.
In some cases, the Council needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee's right to work in the UK, to deduct tax, to comply with health and safety legislation and to enable employees to take periods of leave, to which they are entitled.
For certain positions, it is necessary to carry out a criminal records check to ensure that individuals are permitted to undertake the role in question.
In other cases, the Council has a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows the Council to:
- Run recruitment and promotion processes
- Maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights
- Operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace
- Operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes
- Operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled
- Obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled
- Operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the Council complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled
- Ensure effective general HR and business administration
- Provide references on request for current or former employees, which may include providing limited data about your sickness absence, conduct, performance and relevant disciplinary action/warnings and for safer recruitment purposes
- Respond to and defend against legal claims
- Maintain and promote equality in the workplace and
- To operate accident and incident reporting procedures, and track progress and required actions eg completion of RIDDOR reports.
Where the Council relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not.
Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). The Council will use and process trade union membership data to allow subscriptions to be made to trade unions directly under Deduction of Contributions at Source (DOCAS) arrangements. This is also known as ‘check-off’.
Where the Council processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that the Council uses for these purposes is anonymised or collected with the express consent of employees, and can be withdrawn at any time. Employees are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.
4.2 The Council seeks information from third parties with your consent, such as references and criminal records checks (DBS).
Your information will be shared internally (as appropriate), including with members of the HR and Payroll teams, your line manager, managers in the business area in which you work, Audit and IT staff, if access to the data is necessary for performance of their roles.
The Council shares your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service (DBS). The Council may also share your data with third parties in the context of the transfer/sale of some or all of its business (TUPE). In those circumstances the data will be subject to confidentiality arrangements.
The Council also shares your data with third parties that process data on its behalf in connection the provision of employment services and the statutory requirements that we have to comply with. This may include:
- OPUS Northamptonshire
- LGSS Law
- Local Government Organisations (particularly LGSS and other relevant partner County, City and District Councils) – specify Lead Authority Model CCC, MKC and Northamptonshire Children’s Trust
- DBS Processing – Kent County Council
- North Northamptonshire – host and lead
- Central Government Departments
- HML (Occupational Health)
- Law Enforcement Agencies, such as the Police
- Education Establishments such as schools
- Regulatory Bodies, Investigators and Ombudsman (for example Ofsted, CQC, Local Government Ombudsman, HSE)
- Courts, Tribunals and Prisons
- Legal Representatives
- Service Users (and families where relevant)
- Fraud Prevention Agencies
- Banks and Financial Institutions (eg mortgage requests) – following your permission
- Debt Collection Agencies
- Current, Past and Prospective employers
- Trade Unions
- Press and the Media
- Councillors and Political Parties
- Housing Associations and Landlords
- Survey and Research Organisations
We participate in the Cabinet Office's National Fraud Initiative, a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.
The Council will not transfer your data to countries outside the European Economic Area.
COVID 19 Response
During the COVID19 pandemic, there will be a need for personal and sensitive data (health and testing results information) to be shared internally and with other organisations such as local hospitals carrying out the tests. This is to ensure access to testing for our staff, timely actions for those who test positive and planning across key services during periods of absence. In line with Government and ICO guidance, the information shared will be minimised, proportionate and appropriate to your specific circumstances.
Please be aware that the Council applies the exemption under Schedule 2 of the DPA 2018. This means that confidential references provided to the Council by other and previous employers will not be disclosed in any circumstances. Where an employee makes a Subject Access Request (SAR) any confidential references in their records or on file, will therefore not be shared with them.
4.3 We do not apply automated decision making and our recruitment processes are not based on automated decision-making.
Automated decision-making is where decisions are made about you without any human influence on the outcome. These may affect your legal rights or have an impact on your circumstances, behaviour or choices.
4.4 We do not apply profiling and our employment and recruitment processes do not use profiling.
Profiling is where you analyse parts of an individual’s personality, behaviour, interests and habits to identify their preferences, make predictions or decisions about them.
5 How long we keep your information for and how we securely dispose of it after use
5.1 The Council takes the security of your data seriously. The Council has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.
For example, the HR and Payroll database has restricted access, personnel files are stored in locked cabinets with restrictions on access. Data is retained in line with the Council’s retention and specific HR Retention Policy documents or as specified in separate policies such as the Council’s Disciplinary Policy.
Where the Council engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
5.2 The periods for which your data is held are set out in the Retention of Records and HR Records Retention Policy. This is available upon request.
6 How we store your information
6.1 Data is stored securely in a range of different places, including in your personnel file, in the Council's HR management systems and in other IT systems (including the Council's email system).
7 Your Data Protection Rights
7.1 The law gives you a number of rights to control what personal information is used by us and how we can use it. Please see section 15 of the council’s Corporate Privacy Notice for further information.
7.2 Please be aware that your rights may differ depending on the lawful basis for processing your personal data. As a data subject, you have a number of rights.
- Access and obtain a copy of your data on request
- Require the Council to change incorrect or incomplete data
- Require the Council to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
- Ask the Council to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the Council's legitimate grounds for processing data.
If you would like to exercise any of these rights, please contact the Data Protection Officer. Subject access requests can be made in writing to the Data Protection Officer.
If you believe that the Council has not complied with your Data Protection rights, you can also complain to the Information Commissioner.
You have some obligations under your employment contract to provide the Council with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide the Council with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the Council to enter a contract of employment with you. If you do not provide other information, this will hinder the Council's ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
Article 20 of the GDPR grants you the right to receive a copy of certain personal data held by the Council and the right to transfer that personal data to another organisation (data controller). We require that you submit this request in writing via postal mail to the DPO whose details are provided at the beginning of this policy. We expect to respond to your request within one month of receipt of a fully completed form and proof of identity.
7.3 The right to withdraw consent (if applicable). You can ask that we no longer use your details for this [processing/groups of processing]. If you wish to exercise this right, please contact the Data Protection Officer (DPO) as detailed in section 8.1 below.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, such as next of kin data, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Council’s DPO. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
- Where we have notified you of the decision and given you 21 days to request a reconsideration
- Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights
- In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest and we must also put in place appropriate measures to safeguard your rights.
8 Who to contact
8.1 If you would like further information about how we use your personal information, or you wish to exercise one of your data rights or you wish to complain about the use of your personal information please contact the Data Protection Officer.
8.2 If you are still dissatisfied once you have contacted the Data Protection Officer, you have the right to complain to the ICO.
The ICO’s address is:
Information Commissioner’s Office
Helpline number: 0303 123 1113
This Privacy Notice was completed on 1 April 2021.
The Privacy Notice review date is 1 April 2022.