This privacy notice is designed to help you understand how and why human resources process your personal data. This notice should be read in conjunction with the council’s corporate privacy notice and other purpose-specific notices which can be found at the end of this page.
Who are we?
Richmondshire District Council is a ‘Data Controller’ as defined by Article 4(7) of the General Data Protection Regulation (GDPR).
The council has appointed Veritau Ltd to be its data protection officer. Their contact details are:
Information Governance Office
Who do you keep information about?
Information and records are maintained and processed on applicants, employees (existing and former) and staff, including agency staff, where we have an obligation to undertake health surveillance and provide occupational health services.
Why do you keep information about me?
Review and referral documentation from managers and HR will be held on the occupational health file as well as documentation from third party health providers/professionals such as an employee's consultation, GP, counsellor and physiotherapist. An employee will have authorised access to third party advice and reports regarding their health and ability to conduct their employment contract.
Occupational health records are clinical in nature and contain documents used as part of fulfilling the contract of employment. Records commence from the pre-employment questionnaire that applicants complete through to absence management and health surveillance undertaken in the course of the employment contract.
Health related information is held to enable the council to manage its human resources associated with the performance of the contract of employment and agreed services for work. Medical advice sought and received will be used as part of management decision making in the course of preventative or occupational medicine for assessing working capacity and abilities following medical diagnosis.
Medical information will only be obtained where required. Medical testing/examinations will only be undertaken as part of an Occupational Health/Health and Safety Programme where they are necessary to prevent risks, determine a workers fitness to carry out his/her duties safely and comply with legal obligations in order to fulfil the contract of employment.
Medical information will be used alongside other HR information where appropriate and will be shared with designated Human Resources Officers/Managers, designated Health and Safety Officers/Managers, trade unions and other medical professionals that the council engages and contracts with in order to progress health related issues associated with the employment contract.
The legal conditions we are relying upon to process your personal data are set out in Article 6 and Article 9 of the General Data Protection Regulations (GDPR). They are ‘Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract ’ and ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee…’ As such, we will not ask for your ‘consent’ to process your personal data. Failure to provide this information will result in management decisions being based on the information held.
Who can see my information ?
Access is restricted to authorised manager, officers and third party organisations who have been authorised to process personal and sensitive personal information relating to the health of an employee.
All the council's third party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with the council's instructions.
How do you store the information you keep about me?
Paper medical files, electronic medical case files, HR database, spreadsheets and word documents, and encrypted and pass worded emails. Health related information and records are stored separately, and in addition to an employee's personal file held in HR and records held by an individual manager as part of management arrangements.
How long do you keep information about me?
Guidance states that individual health records should be retained until an employee reaches 100 years old. Health surveillance records should be maintained and reviewed after 40 years from the date of the last entry.
Medical information which appears on the employees personal file (rather than occupational file) is deleted and confidentially destroyed in line with personal file retention periods (see separate privacy notice).
Records remain on the electronic databases in line with retention periods, at which point they are reviewed and permanently deleted as appropriate. They are also in line with the privacy notice relating to HR information.
How did the council get my personal data?
Data is received from health professionals, former employers, managers, human resources and Health and Safety.
In cases where your personal data was obtained from a source other than yourself or your representative, we will inform you of the origin of the information within one month, unless that information is being used to contact you, in which case, that information should be provided to you at the latest, upon first communication with you. However, it is not necessary to provide that information in cases where you already possess the information, where recording or disclosure is expressly laid down in law or where provision of the information proves impossible or would involve disproportionate effort.
What sort of information do you keep?
We may use the following information about you to make sure that we provide you with the right service, advice or support.
- Identification number
- Location data
- One or more factors specific to the physical identity of a natural person
- One or more factors specific to the physiological identity of a natural person
- One or more factors specific to the genetic identity of a person
- One or more factors specific to the mental identity of a person
- One or more factors specific to the economic identity of a person
- One or more factors specific to the cultural identity of a person
- One or more factors specific to the social identity of a person
Special categories of personal data:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health
- Data concerning a natural person's sex life or sexual orientation