Service Specific Privacy Notices

Employee Privacy notice

East Northamptonshire Council is committed to protecting your privacy when you use our services. This Privacy Notice explains how we use information about you and how we protect your privacy.

The organisation collects and processes personal data relating to its employees to manage the employment relationship. The organisation is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

What information does the organisation collect?

The organisation collects and processes a range of information about you. This includes:

  • your name, address and contact details, including email address and telephone number, date of birth and gender;
  • the terms and conditions of your employment;
  • details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
  • information about your remuneration, including entitlement to benefits such as pensions or insurance cover;
  • details of your bank account and national insurance number;
  • information about your marital status, next of kin, dependants and emergency contacts;
  • information about your nationality and entitlement to work in the UK;
  • details of your schedule (days of work and working hours) and attendance at work;
  • details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
  • details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
  • assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence;
  • information about any  criminal record you may have;
  • information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
  • details of trade union membership; and
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.

The organisation is clear that the last 4 bullet points above relate to classes of special category data (formerly known as sensitive personal data).

The organisation collects this information in a variety of ways. For example, data is collected through application forms or CVs; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

In some cases, the organisation collects personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.

How is the information stored?

Data is stored securely in a range of different places, including in your personnel file, in the Council's HR management systems and in other IT systems. Access is restricted to the HR team.

Why does the organisation process personal data?

The organisation needs to process data to enter into an employment contract with you and to meet its obligations under your employment contract. For example, it needs to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer [benefit, pension and insurance entitlements].

In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws, to enable employees to take periods of leave to which they are entitled, and to consult with employee representatives if redundancies are proposed or a business transfer is to take place. [For certain positions, it is necessary to carry out criminal records checks (DBS) to ensure that individuals are permitted to undertake the role in question.]

In other cases, the organisation has a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows the organisation to:

  • run recruitment and promotion processes;
  • maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights; 
  • operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
  • operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
  • operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
  • obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
  • operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
  • ensure effective general HR and business administration;
  • conduct employee engagement surveys;
  • provide references on request for current or former employees;
  • respond to and defend against legal claims; and
  • maintain and promote equality in the workplace.

It is possible for more than one of the bases to apply at any time. The Council will frequently be able to rely upon Article 6.1 (b), (c) and (e) as a lawful basis for processing employee personal data.

Where the organisation relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees or workers and, where the legitimate interest test is relevant; it may conclude that they are not.

Some special categories of personal data, such as information about health or medical conditions, are processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). [Information about trade union membership is processed to allow the organisation to operate check-off for union subscriptions.]

Where the organisation processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that the organisation uses for these purposes is anonymised or is collected with the express consent of employees, which can be withdrawn at any time. Employees are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.

When processing special category data the Council would frequently be able to rely upon Article 9.2 (b), (g), (h) and (j).

Information about criminal convictions is not a special category of information under the GDPR. It is safeguarded under Article 10 which states we may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy.

Who has access to data?

Your information will be shared internally, including members of the HR and recruitment team, your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles. It may also be shared in internal communications, such as InHouse, to keep the organisation up to date on starters, leavers, changes and staff achievements.

The Council also shares your data with third parties that process data on its behalf in connection with payroll and the provision of HR services, pensions and occupational health services.

The organisation shares your data with third parties in order to [obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. The organisation may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.]

Your data may also be shared with employee representatives in the context of collective consultation on a redundancy or business sale. [This would be limited to the information needed for the purposes of consultation, such as your name, role and length of service.]

Please refer to the organisations' main privacy statement regarding transferring of data to countries outside of the European Economic Area.

How we keep your information safe.

The organisation takes the security of your data seriously.  Please refer to the organisations' main privacy statement regarding keeping your information safe.

Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data and that they meet the requirements of the current data protection legislation.

How long do we keep your data?

The organisation will hold your personal data for the duration of your employment.  The periods for which your data is held after the end of employment are set out in policy on records retention.

Your rights

As a data subject, the law gives you a number of rights to control what personal information is used by us and how we can use it. Please refer to the organisations' main privacy statement regarding keeping you in control.

Withdraw consent where consent is the legal basis for processing data

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, such as next of kin data, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Council's DPO. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Automated decisions

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

a.            Where we have notified you of the decision and given you 21 days to request  reconsideration.

b.            Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.

c.             In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

The Council's only automated decision making is automatic pay increments within a salary grade defined in the employment particulars and automatic increases in other benefits, such as annual leave provisions.

What if you do not provide personal data?

You have some obligations under your employment contract to provide the organisation with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith, i.e.  acting in an honest and co-operative way within the spirit of the contract.  You may also have to provide the organisation with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the organisation to enter a contract of employment with you. Providing this and other information allows the organisation the ability to administer the rights and obligations arising as a result of the employment relationship effectively.

Your data rights and the Data Protection Officer

For further information about how East Northamptonshire Council uses your personal data, including your rights as a data subject, please see our Privacy Policy on the Website. If you are unhappy with the use of your personal data or for further information please contact the council's Data Protection Officer by email dataprotection@east-northamptonshire.gcsx.gov.uk or call 01832 742229.