GDPR Data Protection Policy
Company Name: Unique Nursing Services
Policy No.: UNS006
Policy Name: GDPR Privacy Notice
Section 1 – The Data Protection Act 1998
Section 2 – The eight principles of data protection
Section 3 – Sensitive personal data
Section 4 – Information Security
Section 5 – Subject access requests
Section 6 – References
Section 7 – Human Rights Act 1998
Section 8 – Introduction
Section 9 – Collection and use of personal data
Section 10 – Recipient(s) of data
Section 11 – Statutory/contractual requirement
Section 12 – Overseas Transfers
Section 13 – Data Retention
Section 14 – Your rights
Section 15 – Complaints or queries
SECTION 1: The Data Protection Act 1998
Unique Nursing Services processes personal data in relation to its own staff, work-seekers and individual client contacts – therefore it is a “data controller” for the purposes of the Data Protection Act 1998.
The Company holds personal data on individuals (“data subjects”) for the following general purposes:
• Staff administration.
• Advertising, marketing and public relations.
• Accounts and records.
• Administration and processing of work-seekers personal data for the purposes of work-finding services.
SECTION 2: The eight principles of data protection
The Data Protection Act 1998 requires the Company as data controller to process data in accordance with the principles of data protection. These require that personal data shall be:
1. Fairly and lawfully processed.
2. Processed for limited purposes.
3. Adequate, relevant and not excessive.
5. Not kept longer than necessary.
6. Processed in accordance with the data subjects’ rights.
7. Kept securely.
8. Not transferred to countries outside the European Economic Area without adequate protection.
“Personal data” means data, which relates to a living individual who can be identified from the data or from the data together with other information, which is in the possession of, or is likely to come into possession of the Company.
“Processing” means obtaining, recording or holding the data or carrying out any operation or set of operations on the data. It includes organising, adapting and amending the data, retrieval, consultation and use of the data, disclosing and erasure or destruction of the data. It is difficult to envisage any activity involving data, which does not amount to processing. It applies to any processing that is carried out on computer including any type of computer however described, main frame, desktop, laptop, iPad, Blackberry ® or other mobile device.
Personal data should be reviewed on a regular basis to ensure that it is accurate, relevant and up to date and those people listed in the Appendix shall be responsible for doing this.
Personal data may only be processed with the consent of the person whose data is held. Therefore, if they have not consented to their personal details being passed to a third party this may constitute a breach of the Data Protection Act 1998. By instructing the Company to look for work and by providing us with personal data contained in a CV work-seekers will be giving their consent to processing their details for work-finding purposes. If you intend to use their personal data for any other purpose you MUST obtain their specific consent.
Caution should be exercised before forwarding the personal details of any individuals on whom personal data is held, to any third party such as past, current or prospective employers, suppliers, customers and clients, persons making an enquiry or complaint and any other third party.
SECTION 3: Sensitive personal data
Personal data in respect of the following is “sensitive personal data” and any information held on any of these matters MUST NOT be passed on to any third party without the express written consent of the individual:
• Any offence committed or alleged to be committed by them.
• Proceedings in relation to any offence and any sentence passed.
• Physical or mental health or condition.
• Racial or ethnic origins.
• Sexual life.
• Political opinions.
• Religious beliefs or beliefs of a similar nature.
• Whether someone is a member of a trade union.
SECTION 4: Information security
From a security point of view, only those staff listed in the Appendix are permitted to add, amend or delete personal data from the Company’s database(s) (“database” includes paper records or records stored electronically). However, all staff are responsible for notifying those listed where information is known to be old, inaccurate or out of date. In addition, all employees should ensure that adequate security measures are in place. For example:
• Computer screens should not be left open by individuals who have access to personal data.
• Passwords should not be disclosed.
• Email should be used with care.
• Personnel files and other personal data should be stored in a place in which any unauthorised attempts to access them will be noticed. They should not be removed from their usual place of storage without good reason.
• Personnel files should always be locked away when not in use and when in use should not be left unattended.
• Any breaches of security should be treated as a disciplinary issue.
• Care should be taken when sending personal data in internal or external mail.
• Destroying or disposing of personal data counts as processing. Therefore, care should be taken in the disposal of any personal data to ensure that it is appropriate. Such material should be shredded or stored as confidential waste awaiting safe destruction.
It should be remembered that the incorrect processing of personal data e.g. sending an individual’s details to the wrong person, allowing unauthorised persons access to personal data, or sending information out for purposes for which the individual did not give their consent, may give rise to a breach of contract and/or negligence leading to a claim against the Company for damages from an employee, work-seeker or client contact. A failure to observe the contents of this policy will be treated as a disciplinary offence.
SECTION 5: Subject access requests
Data subjects are entitled to obtain access to their data on request and no charge. All requests to access personal data by data subjects should be referred to the Compliance Manager whose details are listed in the Appendix to this policy.
SECTION 6: References
Any requests for access to a reference given by a third party must be referred to the Compliance Manager and should be treated with caution even if the reference was given in relation to the individual making the request. This is because the person writing the reference also has a right to have their personal details handled in accordance with the Data Protection Act 1998, and not disclosed without their consent. Therefore, when taking up references an individual should always be asked to give their consent to the disclosure of the reference to a third party and/or the individual who is the subject of the reference if they make a subject access request. However, if they do not consent then consideration should be given as to whether the details of the individual giving the reference can be deleted so that they cannot be identified from the content of the letter. If so, the reference may be disclosed in an anonymised form.
SECTION 7: The Human Rights Act 1998
Finally, it should be remembered that all individuals have the following rights under the Human Rights Act 1998 and in dealing with personal data these should be respected at all times:
• Right to respect for private and family life (Article 8).
• Freedom of thought, conscience and religion (Article 9).
• Freedom of expression (Article 10).
• Freedom of assembly and association (Article 11).
• Freedom from discrimination (Article 14).
SECTION 8: Introduction
Unique Nursing Services Ltd is a recruitment business, providing work-finding services to its Clients and Clinicians. Unique Nursing Services must process personal data (including sensitive personal data) so that it can provide these services – in doing so, Unique Nursing Services acts as a data controller.
You may give your personal details to the Unique Nursing Services directly, such as on an application or registration form or via our website, or we may collect them from another source such as a jobs board.
Unique Nursing Services must have a legal basis for processing your personal data. For the purposes of providing you with work-finding services and/or information relating to roles relevant to you we will only use your personal data in accordance with the terms of the following statement.
SECTION 9: Collection and use of personal data
Purpose of processing and legal basis
Unique Nursing Services will collect your personal data (which may include sensitive personal data) and will process your personal data for the purposes of providing you with work-finding services. The legal bases we rely upon to offer these services to you are:
• Legitimate interest
Where the Company has relied on a legitimate interest to process your personal data our legitimate interests is/are as follows:
We interpret the legal basis for this processing is our legitimate interest in finding an appropriate person for a job vacancy. We consider that by registering with Unique Nursing Services, you have given your permission to us collecting and holding personal information for disclosing this information to potential employers and clients in our recruitment process.
SECTION 10: Recipient(s) of data
Unique Nursing Services may process your personal data and/or sensitive personal data with the following recipients:
• Clients for work finding services
• Payroll Systems (Safe Outsourcing)
• Online rostering / Workforce management system / Document Storage (Web Roster)
• Document destruction service (Shred-It)
• Auditors (Neuven Solutions)
• Cloud Based Hosting Services (Excalibur)
• Email Marketing Tools / Analytics Tool (Canddi)
SECTION 11: Statutory/contractual requirement
Your personal data is required by law and/or a contractual requirement (e.g. our client may require this personal data), and/or a requirement necessary to enter into a contract. You are obliged to provide the personal data and if you do not the consequences of failure to provide the data are:
Failure to provide this data will affect us being able to complete the recruitment process and therefore we would be unable to find you suitable work.
SECTION 12: Overseas Transfers
Unique Nursing Services may transfer only the information you provide to us to countries outside the European Economic Area (‘EEA’) for the purposes of providing you with work-finding services. We will take steps to ensure adequate protections are in place to ensure the security of your information. The EEA comprises the EU member states plus Norway, Iceland and Liechtenstein.
SECTION 13: Data retention
Unique Nursing Services will retain your personal data only for as long as is necessary. Different laws require us to keep different data for different periods of time.
The Conduct of Employment Agencies and Employment Businesses Regulations 2003 require us to keep work-seeker records for at least one year from (a) the date of their creation or (b) after the date on which we last provide you with work-finding services.
We must also keep your payroll records, holiday pay, sick pay and pensions auto-enrolment records for as long as is legally required by HMRC and associated national minimum wage, social security and tax legislation.
SECTION 14: Your rights
Please be aware that you have the following data protection rights:
• The right to be informed about the personal data the Company processes on you;
• The right of access to the personal data the Company processes on you;
• The right to rectification of your personal data;
• The right to erasure of your personal data in certain circumstances;
• The right to restrict processing of your personal data;
• The right to data portability in certain circumstances;
• The right to object to the processing of your personal data that was based on a public or legitimate interest;
• The right not to be subjected to automated decision making and profiling; and
• The right to withdraw consent at any time.
Where you have consented to the Company processing your personal data and sensitive personal data you have the right to withdraw that consent at any time by contacting either the General Manager or Registrations & Compliance.
SECTION 15: Complaints or queries
If you wish to complain about this privacy notice or any of the procedures set out, please contact the General Manager.
Office Telephone: 0161 998 2132
You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.