Staff Fair Processing Notice

This information is for staff who are employed by East Riding of Yorkshire Clinical Commissioning Group (hereafter referred to as ‘the CCG’). This should be read in conjunction with the general Fair Processing Notice available on our website.

During the course of our activities, the CCG will collect, store and process personal information about our prospective, current and former staff. For the purposes of this Fair Processing Notice, ‘staff’ includes applicants, employees, workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

We recognise the need to treat staff personal data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. This Fair Processing Notice provides a summary of how we will ensure that we do that, by describing:

  • the categories of personal data we may handle
  • the purpose(s) for which it is being processed
  • the person(s) / organisation(s) it may be shared with

This Notice also explains what rights you have to control how we use your information.

What laws apply to the handling of personal information?

How organisations can use personal information is determined by Law. The key legislation governing the use of information is listed below:

  • The Data Protection Act 2018
  • The Human Rights Act 1998
  • Freedom of Information Act 2000
  • Computer Misuse Act 1998
  • Audit Commission Act 1998
  • Regulation of Investigatory Powers Act 2000
  • Access to Health Records Act 1990

The Data Protection Act 2018 (DPA) is the law that primarily determines how we can use your personal data.
For the purposes of the Data Protection Act 2018, the CCG is the “Data Controller” (the holder, user and processor) of staff information.

What types of personal data do we handle?

In order to carry out our activities and obligations as an employer we handle data in relation to:

  • Contact details such as names, addresses, telephone numbers
  • Emergency contact(s)
  • Education and training
  • Employment records (including professional membership, references and proof of eligibility to work in the UK)
  • Bank details
  • Pension details
  • Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
  • Medical information including physical health or mental condition
  • Information relating to health and safety
  • Trade union membership
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences
  • Employment Tribunal applications, complaints, accidents, and incident details

What is the purpose of processing data?

Under the DPA, the CCG only processes your personal data where we have your consent or where the processing can be legally justified. These include circumstances where the processing is necessary for the performance of staff contracts with us or for compliance with any legal obligations which applies to the CCG as your employer, this will include sharing your information with other bodies where we have a statutory or legal obligation to do so (Please see other bodies below).

These obligations may include (but are not limited to):

  • Staff administration (including payroll)
  • Pensions administration
  • Business management and planning
  • Accounting and Auditing
  • Accounts and records
  • Crime prevention and prosecution of offenders
  • Education
  • Health administration and services
  • Information and databank administration
  • Sharing and matching of personal information for national fraud initiative

Other than where there is a statutory / legal requirement to share your information we will not publish any information that identifies you or routinely disclose any information about you without your express consent. At any time you have the right to refuse / withdraw consent to information sharing.

The CCG does not directly provide health care services and therefore does not hold personal health care records. If you wish to have sight of, or obtain copies of your of your own personal health care records you will need to apply to your GP Practice, the Hospital or NHS Organisation which provided your health care.

Sharing your information

There are a number of reasons why we share information. This can be due to:

  • Our obligations to comply with current legislation
  • Our duty to comply with any Court Order which may be imposed

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

In order to comply with our obligations as an employer we will need to share your information as follows:

Employee Records and Contracts Administration (eMBED)
eMBED Health Consortium is led by Kier and run in partnership with Dr Foster, BDO and Engine providing a range of services to CCG’s in the Yorkshire and Humber region. We share information with eMBED and allow them access to employee personal data as they are responsible for undertaking our recruitment (including pre-employment checks; creating and updating all employee data in ESR (see below); and maintaining employee personal files.

Payroll Administration
The payroll of the CCG is managed by Victoria Payroll Services. Your personal information will be made available to Victoria Payroll Services through ESR (see below) in order to allow them to pay your salary and any associated expenses and to comply with our legal and statutory obligations. From time to time we will need to share information with Victoria Payroll Services in order to ensure that they deliver the services we require.

In addition, CCGs are mandatory participants in the Cabinet Office’s National Fraud Initiative (NFI).  The NFI is a data matching exercise run every other year, where our payroll and trade creditors data is compared against data provided from other NHS and public sector organisations.  Payroll data is supplied centrally to the Cabinet Office via IBM, as they oversee Electronic Staff Record, and NHS Shared Business Services (on behalf of NHS England) will provide the CCG’s trade creditors data directly to the Cabinet Office.  We then receive the matches back for further review.  More detail is available here.

Management of Employee Staff Record (ESR)
The information which you provide to the CCG during the course of your employment will be shared with eMBED for maintaining your employment records. Your personal information may also be used to fulfil other employer responsibilities, for example, by maintaining appropriate occupational health records, complying with health and safety obligations, carrying out any necessary security checks, and all other employment related matters. In addition, the information held may be used in order to send information to you, which is relevant to our relationship with you.

Your information will only be disclosed as required by law or to our appointed agents and/or service providers who may be used for a variety of services; for example, processing of payroll, provision of pensions administration.

IBM, who are the system supplier of ESR will be responsible for maintaining the system. This means that they may occasionally be able to access your staff record, but only to ensure that the ESR works correctly. Even where this happens access will be very limited and is only to allow any problems with the computer system to be fixed as necessary. They will not have the right to use this data for their own purposes and we have contracts in place to ensure that the data is protected and that they only act on our instructions.

Occupational Health
The CCG Occupational Health Service and Employee Assistance Programme are managed by eMBED. Your personal information will need to be shared with eMBED as and when required in order to allow them to provide the CCG employees and managers with the services required.

Other Bodies
We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.

We may obtain and share personal data with a wide variety of other bodies, which may include but is not limited to:

  • Her Majesty's Revenue and Customs (HMRC)
  • Disclosure and Barring Service
  • Home Office
  • Child Support Agency
  • Central government, government agencies and departments
  • Other local authorities and public bodies
  • Ombudsman and other regulatory authorities
  • Courts/Prisons
  • Financial institutes for e.g. banks and building societies for approved mortgage references
  • Credit Reference Agencies
  • Utility providers
  • Educational, training and academic bodies
  • Law enforcement agencies including the Police, the Serious Organised Crime Agency
  • Emergency services for e.g. The Fire and Rescue Service
  • Auditors e.g. Audit Commissioner
  • Department for Work and Pensions (DWP)
  • The Assets Recovery Agency
  • Relatives or guardians of an employee where there is a legal duty to do so

If you post or send offensive, inappropriate or objectionable content anywhere on or otherwise engage in any disruptive behaviour on this website, we may use whatever information is available to us, about you, to stop such behaviour.

The CCG is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. Further details of these purposes can be found by logging into the ICO website and entering the name East Riding of Yorkshire Clinical Commissioning Group at:

Retaining Information

We will only retain information for as long as necessary. Records are maintained in line with the CCG Records Management Policy which determines the minimum length of time records should be kept.

The Data Protection Act 2018

Under the Data Protection Act, we have a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it. We will not pass on your details to any third party or other government department unless you consent to this or when it is necessary and we are allowed or required to by law.

What if the data you hold about me is incorrect?

It is important that the information we hold about you is kept up to date. If your personal details change or if they are currently inaccurate then it is important that you let us know by contacting your manager and your local HR team.

Security of your Information

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

At Governing Body level, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents. The SIRO for the CCG is Richard Dodson, Chief Finance Officer.

All staff are required to undertake annual Information Governance (IG) training and are provided with a IG User Handbook that they are required to read, understand and agree to adhere to. The handbook ensures that staff are aware of their IG responsibilities and follow best practice guidelines ensuring the necessary safeguards for, and appropriate use of person-identifiable and confidential information.

Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

How to get access to your personal data?

The Data Protection Act 2018 gives you the right to access the information which the CCG holds about you and why. For details on how to make an application please refer to the general Fair Processing Notice available on this website.

Changes to our privacy notice

We keep our Privacy Notice under regular review and we will place any updates on this webpage. This notice was last updated in March 2016.