Data Protection Privacy Notice (employment/volunteers)
Forget Me Not Children’s Hospice and FMNT Trading Ltd are committed to protecting and respecting your privacy.
This notice explains what personal data (information) we hold about you, how we collect and use it, and when we may share it. The notice applies before, during, and after your period of employment, or period of volunteering. We are required to notify you of this information under data protection legislation, so please ensure that you read it carefully, along with any other similar notices that we may provide you with when we collect or process personal information about you.
This privacy notice applies to both Forget Me Not Children’s Hospice (‘FMN’) and FMNT Trading Ltd.
Who are we?
Forget Me Not Children’s Hospice supports children with life-shortening conditions and their families across West Yorkshire and North Manchester. Forget Me Not Children’s Hospice is a registered charity (no. 1110457). The registered address is Forget Me Not Children’s Hospice, Russell House, Fell Greave Road, Huddersfield, HD2 1NH.
Forget Me Not Children’s Hospice consists of both the charity and our trading company, FMNT Trading Ltd (company number 06332306), which is 100% owned by the charity. We share your personal information between the two companies for the purposes of handling and administering your employment or volunteering contract (for example for processing payroll or employee benefits).
This privacy notice explains how Forget Me Not Children’s Hospice and FMNT Trading Ltd use personal information. All references to ‘we’, ‘FMN’, ‘us’ or ‘our’ in this notice refer to both Forget Me Not Children’s Hospice and FMNT Trading Ltd.
Both companies are registered as Data Controllers, which means we decide how, when and why your personal data will be used. This is explained in more detail later in this policy.
If you have any questions, please contact us by:
Telephoning: 01484 411040
Writing to us: Forget Me Not Children’s Hospice, Russell House, Fell Greave Road, Huddersfield, HD2 1NH
Data protection principles
About the information we collect and hold
The table set out in Schedule 1 (at the back of this notice) summarises the information we collect and hold, how and why we collect and use it, and who it may be shared with.
We need to process your information to enter into an employment contract or volunteering agreement with you, and to meet our obligations under your employment contract or volunteering agreement. For example, we need to process your data to pay you, process expenses, and to administer pension and employee benefits. We also need to process your information to handle job and volunteer applications, such as by inviting you to an interview.
Much of the information we hold will have been provided by you, but some may come from other internal sources, such as your manager, or in some cases, external sources, such as referees.
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we are required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws, and to allow employees to take periods of leave to which they are entitled. For certain positions, it is necessary to carry out criminal record checks to ensure that individuals are permitted to undertake the role in question.
In other cases, we have a legitimate interest in processing personal data before, during and after the end of the employment or volunteering relationship, which is set out in Schedule 1.
We also process some special categories of personal data, such as information about health or medical conditions. Information on why we do this, and what information we collect, is also set out in Schedule 1.
You can choose not to provide any information to us, however please be aware that without the information, we may be unable to enter into an employment contract or volunteering agreement with you. For example, if you choose not to provide your name, address and bank details, this will mean we are unable to pay you. As such, if you have any concerns about the information you are being asked to provide, we encourage you to contact us using the details at the top of this notice.
Who has access to your information?
Your information will be shared internally, including with members of the HR and Finance teams (including payroll), your line manager, managers in the business area in which you work, and IT and Facilities staff.
- Busy Bees Benefits, for the purposes of providing childcare vouchers;
- Evans Cycle to Work, for the purposes of providing tax-free bicycles and equipment;
- The Predicative Index, for the purposes of giving an overview of a candidates preferred behaviours (further information on this can be found in the ‘Profiling’ section in this policy;
- Any referees that you provided in your application form, for the purposes of obtaining pre-employment references from other employers and organisations;
- DBS Online, for the purposes of conducting pre-employment criminal background checks;
- Schofield Sweeney, for the purposes of seeking legal advice;
- Calderdale Royal Hospital, for the purposes of sending a colleagues medical history to enable them to administer vaccinations to those that require it for their job role;
- Ellipse Financial Systems, for the purposes of providing life assurance benefits;
- Fairways Pension Service, for the purposes of providing a NHS pension scheme;
- People's Pension Services, for the purposes of providing a lawful pension scheme;
- DocuSign, for the purposes of allowing electronic signing of employment and volunteering contracts, guidelines and company policies;
- Microsoft, for the purposes of providing you with an account that has access to our e-mail, online document storage, and video conferencing systems;
- Survey Monkey, for the purposes of employee and volunteer feedback and surveys;
- Best Companies, for the purposes of our employee engagement survey;
- Core Facilities Management, for the purposes of providing employment badges and IT Support;
- PeopleHR, for the purposes of providing a centralised location for storing and viewing employee records (including annual leave, appraisals and payroll information);
- RotaCloud, for the purposes of creating staff rotas which can be viewed and accessed online, and for requesting changes to shifts;
- PeopleSafe, for the purposes of providing a mobile-phone application to support and ensure the safety of lone-workers;
- Kirklees Council, for the purposes of fulfilling the ‘WorksBetter’ programme which supports people into work through referrals;
- Blue Stream Academy, for the purposes of training and development which is mandatory to role; and
- Making Life Work For You, for the purposes of providing an occupational health and well-being service.
We will only ever share the minimum information needed to allow these third parties to provide their services. For example, we will only ever share your name with Microsoft, as that is the only information needed to set you up with an account.
Please be aware that, for the purposes of providing staff ID employment cards, your photograph and name will be passed to the ID card printing supplier, and used only for the purpose of printing an ID card. The company used for this will vary depending on when your ID card was printed, so please contact the HR department for details of the supplier used.
There may be occasions where we need to record online video meetings (such as Zoom or Microsoft Teams meetings). For example, if we are carrying out staff training, or holding a staff update meeting, we may record this meeting to allow others to view the recording at a later date. Recordings will be held securely by Zoom Communications or Microsoft, and only used for the purpose stated at the beginning of the meeting. Likewise, you will be informed before the meeting begins that the meeting will be recorded, and will have the right to object and/or withdraw from the meeting.
It may not always be possible, or appropriate, for information shared with third parties to be anonymised, however we will always ensure recipients of the information are bound by confidentiality obligations.
We may also be required to share some personal information with our regulators, or as required to comply with the law. We may also share your data with third parties in the context of a sale of some or all of the business.
We will always seek to ensure that information that we collect and process is always proportionate, and will notify you of any changes to information we collect, or to the purposes for which we collect and process it.
How do we protect your data?
We take the security of your data seriously, and we have internal policies and controls in place to ensure that your data is not lost, destroyed, misused or disclosed, and is not accessed by anyone except by those authorised. Those processing your information will do so only in an authorised manner, and are subject to a duty of confidentiality. Likewise, we use strong passwords to control access to systems (such as the payroll system), and restrict system access to only those that need it. Further information on how we keep information secure can be found in the Network and Security Policy, which can be obtained by contacting us.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any relevant regulator (such as the ICO) of a suspected data security breach where we are legally required to do so.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
How long we keep your information
We keep your information during, and after, your employment or volunteering, for no longer than is necessary for the purposes for which the personal information is processed. Schedule 1, found at the back of this document, explains how long we hold specific types of information.
Accessing and updating your information, or finding out more
The accuracy of your information is important to us. If you need to correct any information that we hold about you (for example your email address), please contact us using the details at the top of this notice.
You can also ask us about how we use or handle your information, including:
- How we have decided how, why and when we process your data; and
- What categories of personal data we collect, store and process, including the purpose and legal basis for this processing;
You also have a number of rights, and if you would like to exercise any of these rights, please contact us using the details at the top of this notice. You can:
- Access and obtain a copy of your data on request;
- Require us to change incorrect or incomplete data;
- Require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
- Object to the processing of your data where we are relying on its legitimate interests as the legal ground for processing; and
- Ask us to stop processing data for a period of time if data is inaccurate, or if there is a dispute about whether or not your interests override the organisation's legitimate grounds for processing data.
Sensitive Personal Data
Sensitive personal information is sometimes referred to as ‘special categories of personal data’ or ‘sensitive personal data’.
We may, from time to time, need to process sensitive personal information. We will only process sensitive personal information if:
- We have a lawful basis for doing so. For example, if it is necessary for the performance of an employment contract, or to comply with the our legal obligations, or for the purposes of our legitimate interests; and
- One of the special conditions for processing sensitive personal information applies, for example:
- You have given us explicit consent;
- The processing is necessary for the purposes of exercising employment law rights or obligations of you or us;
- The processing is necessary to protect your vital interests, and you are physically incapable of giving consent;
- Processing relates to personal data which are manifestly made public by you;
- The processing is necessary for the establishment, exercise or defence of legal claims; or
- The processing is necessary for reasons of substantial public interest.
Sensitive personal information will not be processed until:
- We have assessed whether the processing complies with the criteria noted above; and
- You have been properly informed (by way of a privacy notice or otherwise) of the nature of the processing, the purposes for which it is being carried out, and the legal basis for it.
Schedule 1 sets out types of sensitive personal information that we process, what it is used for, and the lawful basis for the processing.
Making a complaint
You have the right to make a complaint about how we (or any third parties) use your personal data. We encourage employees and volunteers to come forward with any suggestions and queries, and welcome people challenging us if they feel that the use of their information is unfair, misleading or inappropriate. You can contact us by using the details at the top of this policy.
You also have the right to make a complaint directly to the supervisory authority, which is the ICO. They can be contacted by telephone on 0303 123 1113. Alternatively, please visit their website: https://ico.org.uk/concerns
We regularly review this policy to ensure it reflects how we use and handle your information, and it was last updated in April 2021. We may, from time to time, need to change this policy, however we will always inform you of any changes to the way we use your personal information.
Updates in version 1.1
• Updated the list of sub-processors with the latest details of who we may share information with
• Removed the use of ‘profiling’ as this is not in use across the organisation.
For employees of Forget Me Not Children’s Hospice, we are required to retain information in accordance with guidelines and best practice issued by the NHS Information Governance Alliance. The schedule we follow is the “Records Management Code of Practice for Health and Social Care 2016”, and this informs the schedules shown below. If you have queries about any of the information shown below, please contact us.
You are required (by law or in order to enter into your contract of employment) to provide the categories of information marked ‘v’ above to us to enable us to verify your right to work and suitability for the position, to pay you, to provide you with your contractual benefits, such as to administer statutory payments such as statutory sick pay (SSP). If you do not provide this information, we may not be able to employ you, to make these payments or provide these benefits.