- Name of service - HR
- Directorate - Transformation, Partnerships & Prosperity
- Date of issue - 25 May 2018
- Date of current version - 30 September 2021
- Review date - 7 April 2024
The reasons why we use your personal data
Purpose / function of the service
During the course of its employment activities, Surrey County Council collects, stores and processes personal information about prospective, current and former staff.
This Privacy Notice covers employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.
Surrey County Council takes the processing of your personal data seriously. Please be assured that your information will be used appropriately in line with data protection legislation; will be stored securely and will not be processed unless the requirements for fair and lawful processing can be met.
What information do we collect?
In order to carry out our activities and obligations as an employer we handle data in relation to:
- Equality and Diversity Data or Special Category Data (including gender, gender/recognition orientation, race, ethnicity, sexual orientation, religion)
- Contact details such as names, addresses, telephone numbers and Emergency contact(s)
- Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
- Bank details
- Pension details
- Medical information including physical health or mental condition (occupational health information)
- Information relating to health and safety
- Trade union membership
- Offences (including alleged offences), criminal proceedings, outcomes and sentences
- Employment Tribunal applications, complaints, accidents, and incident details
The Equality and Diversity Data or Special Category Data is collected for anonymous statistical reporting only.
Our staff are trained to handle your information correctly and protect your confidentiality and privacy.
How we are allowed to use your personal data
- Staff administration and management (including payroll, performance and building security)
- Pensions administration
- Business management and planning
- Accounting and Auditing
- Accounts and records
- Crime prevention and prosecution of offenders
- Health administration and services
- Information and databank administration
- Sharing and matching of personal information for national fraud initiative
- Research and statistical analysis
We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.
Your information is never collected or sold for direct marketing purposes.
What is the legal basis for processing your information?
We have a legal basis to process your data as part of your contract of employment (either permanent or temporary) following data protection and employment legislation.
Please be aware during the Covid19 outbreak your information may be used for the purpose of managing the Public Health emergency. For further information please see the Covid19 privacy notice.
From 11 November 2021, anyone working or volunteering in a care home will need to be fully vaccinated against coronavirus (COVID-19), unless exempt. For privacy information relating to the processing of information about vaccination or medical exemption by care homes see Vaccination of people working or deployed in care homes: operational guidance.
When will we seek your consent?
On occasions we will seek your explicit consent to process your personal data (article 6(1) (a) GDPR) and sensitive data (article 9(1) GDPR), where we do not have a contract or legal obligation, in seeking your opinions and expressions as part of research surveys and subsequent statistical analysis.
Who we share your personal data with
There are a number of reasons why we share information. This can be due to:
- Our obligations to comply with legislation
- Our duty to comply any Court Orders which may be imposed
Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.
We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.
We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.
Use of Third Party organisations
To enable effective staff administration, Surrey County Council may share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer. The following services are currently provided by third party organisations:
- Occupational health, including health assessments
- Counselling and employee assistance
- Sickness absence recording
- The reporting of Health and Safety accidents and incidents
- Employee relations advisory work supported by trained colleagues from Brighton and Hove City Council, and East Sussex
- Training, including provision of an electronic learning management system
- Research or Staff surveys - please be aware that there is a possibility we will use your personal data for research and statistical analysis purposes
- Mailing house provider
- Trade Unions - member support
Please rest assured that these organisations comply with all relevant data protection legislation in handling your data.
Under data protection legislation, you have the right:
- To be informed why, where and how we use your information
- To ask for access to your information.
- To ask for your information to be corrected if it is inaccurate or incomplete.
- To ask for your information to be deleted or removed where there is no need for us to continue processing it.
- To ask us to restrict the use of your information.
- To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
- To object to how your information is used.
- To challenge any decisions made without human intervention (automated decision making)
Personal data being sent or processed outside of the UK and EU
Your information is not processed overseas.
Retention of data
Your information will be kept for 7 years after termination of employment unless special circumstances apply, e.g. records for those working in residential care homes will be kept for longer. For a full list of retention periods applicable to personnel files see our data retention schedule.
For further information on our privacy notices, please see information and privacy.