User Privacy – Healthera Employee

Detailed Wording and Content

Your privacy rights when you’re employed by Healthera

This web page expands on the privacy information that has previously been made available to you (a copy of which can be found here).

The purpose of this notice is to explain how Healthera Limited collects and uses your personal information and how we comply with data protection law. As an employer Healthera must meet its contractual, statutory and administrative obligations.  We are committed to ensuring that the personal data of our employees is handled in alignment with the UK Data Protection Act 2018.  Healthera is the data controller unless this notice specifically states otherwise.

In this notice, we explain some things about the personal information Healthera holds, and your rights regarding this information. It’s important that you read it carefully, together with any other privacy notices and information that we provide you, from time to time.

About your personal information and where we obtain it 

What information do we use and where do we obtain it

We collect and receive different types of personal information about you,in order to fulfil the terms of the employment contract between you and us. We also process your personal information for HR and business administration purposes and to meet our legal and regulatory obligations.  Personal information we hold about you includes any information that identifies you (e.g. name, address, phone number etc). It also includes personal information which relates to specific topics which are thought to be more privacy sensitive (e.g. information about your health, your gender, etc). 

You can find more details about the type of information we hold about you in “What personal information we use and how long we keep it” see below.

Sources of information

When you applied for employment with Healthera you provided us with personal information about you.

We also receive information about you from third parties. These can include:

• employment agencies, if any
• previous employers or referees, if any
• agencies associated with you such as HMRC, Child Support Agency, Courts
• organisation’s who help us with HR administration (provided on our behalf, over the term of your employment) in areas such as pension provision, occupational health, security clearance providers, payroll services

You need to help us keep the personal information we hold about you accurate. If you notice that any of your personal information is incorrect or if any personal information about you changes, please see below on how you can correct your personal information.

Please note: The personal information you provide to us, as well as that we collect about you, is necessary for us to fulfil the terms of your employment contract, perform HR administration, and enable us to meet our legal obligations. Without it we may not be able to do so. For example, if you do not provide your bank details we will not be able to pay you.

How we’ll use your personal information

Fulfilment of your employment contract

In order to meet our obligations as an employer, we will use your personal information to:

• Keep records of your employment with Healthera
• To ensure you are paid correctly via our payroll provider
• To process any ad hoc payments outside of the payroll process
• To ensure correct taxes and national insurance is paid and HMRC has your correct details
• To provide a workplace pension
• To monitor staff wellbeing, by investigating or providing support with workplace issues such as potential bullying, harassment, grievance handling, diversity issues etc.
• To ensure the Health and Safety of our staff
• To organise Maternity, Paternity, Shared Parental and Adoption leave
• To assess performance and conduct salary and grading reviews
• To investigate any employer/employee disputes
• To organise training and staff development
• To track employee’s work related learning undertaken
• For business administration and planning purposes including absence reporting, holiday scheduling etc
• To organise and manage staff appraisals and reviews and making related management decisions
• To monitor staff compliance with Healthera policies, procedures and Healthera computer system usage to ensure the security of our premises, IT systems and employees
  
  

Lawful basis for processing your personal data

Depending on the processing activity, we rely on the following lawful basisfor processing your personal data under the GDPR:

• Article 6(1)(b) which relates to processing necessary for the performance of a contract.
• Article 6(1)(c) so we can comply with our legal obligations as your employer.
• Article 6(1)(f) for the purposes of our legitimate interest.
  
  

Special category data

Where the information we process is special category data, for example your health data, the additional bases for processing that we rely on are:

• Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights.
• Article 9(2)(h) for the purposes of preventative or occupational medicine and assessing your working capacity as an employee.
• Article 9(2)(f) for the establishment, exercise or defence of legal claims.
  
  

In addition, we rely on processing conditions at Schedule 1 part 1 paragraph 1 and Schedule 1 part 1 paragraph 2(2)(a) and (b) of the Data Protection Act 2018. These relate to the processing of special category data for employment purposes, preventative or occupational medicine and the assessment of your working capacity as an employee.

What personal information we use and how long we keep it

We retain your personal data only for so long as it is required for the purposes for which it was collected, whilst keeping it as up to date as possible. It is our intention to make sure that data is retained in accordance with our retention schedule and that data is deleted as soon as reasonably practical after. You can find out more details below.

Data we use

First name, Last name, Address, Postcode, Date of birth, Work email address, Mobile telephone number, Marital status, Gender, Salary, Staff pension details, Bank details, National Insurance number, Next of Kin details, Emergency contact details, Doctors details, Job Title, Grade, Work location, Continuous service date, Working pattern, Working hours, Time spent working and overtime, Leave taken, Trade Union Membership, Job and pay history, Previous employment history, Education history, Town of birth, Country of birth, Driving license number, Driving license issue date, Passport number,  Passport issue date, nationality, Security clearance information including information ofany criminal convictions, Proof of identity documents, Ethnicity, Disability status, Religion, Gender at Birth, Health, Photo for staff directory and Healthera systems, Company issued device MAC address, Company issued telephone number, IMEI, Your consent to follow Healthera company policies, Slack messages, emails, Your response to staff surveys

How long we keep it for

To perform our contractual obligations and comply with applicable laws we generally retain your personal data for the duration of your employment plus an additional 6 years. 

We may keep some specific types of personal data (for example tax records, pension data) for different periods of time, as required by applicable laws.

Messages and emails will be stored for 6 years.

If you leave Healthera we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Any other personal information not described above

Data we use

Any other personal information we collect, not described in any of the categories above will be brought to your attention with a message at the point of collection from you.

How long we keep it for

We’ll keep it for 6 years.

In addition, we may keep your personal information for a longer period of time than mentioned above in the event of ongoing disputes, claims, complaints or data migration. In such cases, we’ll consider the nature, degree of sensitivity, and volume of your personal information that needs to be kept. We’ll also take into consideration the purpose for extending the retention period and whether this purpose could be achieved through other means.

Passing on your personal information to third parties

From time to time, we may need to pass your personal information to third parties. The third parties we may share information with are:

For fulfilment of your employment contract

Healthera uses a number of data processors to help with the HR administration. These include the following:

• HR system: Charlie OS Ltd
• Payroll provider:  Lanop Ltd (Accountant)
• Pension provider: Smart Pension Ltd

Where this occurs, Healthera requires sufficient guarantees that appropriate technical and organisational measures are in place with all processors and that their standard of security with regard to the processing of your personal information is satisfactory to Healthera.

In certain circumstances, we may need to disclose your persona linformation to other trusted third parties, who will receive it as data controllers in their own right (such as auditors, consultants and legal advisers. In such cases, we will ensure that the appropriate contracts and safeguards are in place. 

For compliance purposes

In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to 3rd parties, such as the Department of Health, CCG, courts, law enforcement agencies, our insurers, our auditors, and our professional advisers.                                                 

Security and safe storage of your personal information

The security of your personal information is very important to us and we take this matter very seriously.  We’ll use appropriate procedures and security features to process and protect your information.  We have in place a robust framework to ensure the security of your data.

Transfers outside the European Economic Area (E.E.A)

Some of the organisations that we share your personal information with may process it overseas. If any sharing means that your personal information will be transferred outside the E.E.A, we will only make that transfer if:

• the country to which the personal information is to be transferred ensures an adequate level of protection for personal information
• we have put in place appropriate safeguards to protect your personal information, such as an appropriate contract (like the contract terms sometimes called Model Contract Clauses issued by the European Commission) with the recipient
• the transfer is necessary for one of the reasons specified in data protection law
• sometimes, we will request your consent to the transfer
  
  

How you can access and correct your personal information

How you can correct or rectify your personal information

In order to meet our employer obligations, it is important that we have accurate and complete information about you. We encourage you to notify us of any changes regarding your personal information, as mentioned just below.

You can correct the information we hold about you by logging into your Healthera HR account, then selecting “edit your profile” and making the changes.

You can also contact us at Healthera Limited , St John’s Innovation Centre, Cowley Road  Cambridge, United Kingdom CB4 0WS or email us at career@healthera.co.uk

How you can access your personal information and exercise your rights

Subject to certain conditions, you have the right to request access to the personal information that we hold about you. This is commonly called a “data subject access request” or in its abbreviated form, a “DSAR”.

If possible, you should specify the type of information you would like to see to ensure that our disclosure meets your expectations. We must be able to verify your identity. Your request shall not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other individuals.

In addition to your right to request access to or rectification of the personal information we hold about you, you’ll have the right, under certain circumstances, to make a request to:

• restrict or object to the processing of the personal information we hold about you (see Note1)
• erase your personal information (see Note1)
• receive personal information about you that you have provided to us in a structured, commonly used, machine-readable format where we use it with your consent (‘right to data portability’)(see Note2)
• withdraw your consent for us to process your personal information, where based on consent (see Note3)
  
  

Note1:  It is important to note that your request to restrict or object to processing, or erase your personal information doesn’t automatically lead to a requirement for the processing to stop, or for your personal information to be deleted. For instance, we may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.

Note2:  In addition, the right to data portability only applies in certain circumstances such as where the processing relies on consent.

Note3:  If you do decide to withdraw your consent we will stop processing your personal information for that purpose going forward, unless there is another lawful basis we rely on – in which case, we will let you know.

To make a request under these rights you can:

• write to us at  Healthera  Limited , St John’s Innovation Centre, Cowley Road  Cambridge, United Kingdom CB4 0WS  or
• email us at support@healthera.co.uk
  
  

Queries and further information     

Further information

The information provided in this privacy notice is in addition to any other privacy information we may give you on this website or via other channels (paper communication, secure message, Slack, telephone etc.).

We may update this notice from time to time. We will keep updated you on material changes to this notice. We also encourage you to check this notice on a regular basis.

Contact us

If you want to contact us, you can

• write to us at Healthera  Limited , St John’s Innovation Centre, Cowley Road  Cambridge, United Kingdom CB4 0WS  
• email us at support@healthera.co.uk
• contact our data protection officer at dpo@healthera.co.uk
  
  

Raise a complaint with ICO          

If you have concerns about the way we handle your personal information and you think we haven’t dealt with them properly, you can contact the Information Commissioner’s Office or raise a complaint.

We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner’s Office so please contact us in the first instance.

The Information Commissioner’s Office can be contacted:

• by phone on +44 303 123 1113
• by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
• via their website at http://www.ico.org.uk/concerns
  
  

Last updated on 14 August 2019