Guidance

Civil Service Human Resources (CSHR) Expert Services directorate privacy notice

Updated 5 January 2021

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the General Data Protection Regulation (GDPR).

Civil Service Human Resources (CSHR) Expert Services directorate is hosted by Cabinet Office. We provide expert Human Resources (HR) services to our customers, Civil Service (CS) departments.

Your data

Much of the information we process will have been provided by you in correspondence with us. In some cases, your data may have been obtained by us from another Government department or other sources such as your manager.

We may process the following personal data about your:

• name
• address and contact details, including email address and telephone number
• date of birth
• gender
• employment status, job title, grade and work pattern
• location
• pay
• politics
• health
• Trade Union membership

In conducting research we process the following data about you: Names, job titles and grades, email addresses, work location, opinions.

Purpose

The purpose we are processing your personal data is to support the government workforce and help departments and professions to build a modern, effective Civil Service.

We do this by providing central guidance and evaluation for the Civil Service on:

• the Civil Service Management Code
• employment policies
• pay and reward
• Transfer of Undertakings (Protection of Employment) or Cabinet Office Statement of Practice (TUPE/COSOP)
• job evaluation
• health and wellbeing
• diversity and inclusion
• employee relations
• recruitment
• redundancy mitigation

We also conduct research through surveys, interviews and focus groups. These are intended to gather opinions on issues concerning the civil service. We use the data gathered through these to produce aggregated reports in which you will not be identified personally.

Legal basis of processing

The lawful basis for processing your personal data is that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

We directly support Cabinet Office in delivering the priority of driving efficiencies and reforms that will make government work better. As part of our Civil Service HR function, we also support the government workforce and help departments and professions to build a modern, effective Civil Service.

Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The conditions for processing your sensitive personal data is it is necessary:

• for reasons of substantial public interest in for the exercise of a function of the Crown, a Minister of the Crown, or a government department.
• for the purposes of performing or exercising our obligations or rights as the controller, or your obligations or rights as the data subject, under employment law, social security law or the law relating to social protection.

For example:

• information about your Trade Union membership will be provided when engaging with our Employee Relations service on behalf of your Trade Union.
• information about your health may be provided in order to implement reasonable adjustments required under the Equality Act.

Recipients

Your personal data may be shared with other Government departments where it is necessary for the performance of our functions as a Government Department or a function of the Crown. This will, in some circumstances, involve sharing special categories of personal data. Other Government departments that use CSHR Expert Services directorate agree to a Memorandum of Understanding that includes the protection of your personal data.

As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email and document management and storage services to us.

We may use other service providers to track enquiries and process feedback surveys, in which case controls are in place to ensure your data is protected.

Retention

Your personal data will be kept for 7 years and retention beyond this period will then be reviewed on an annual basis.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you.

We will keep research, survey and interview data in identifiable form for one year.

Your rights

You have the right to request information about how your personal data are processed, and to request a copy of that personal data.

You have the right to request that any inaccuracies in your personal data are rectified without delay.

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.

You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.

You have the right to object to the processing of your personal data.

International transfers

For some feedback surveys your personal data will be processed outside the UK and EEA, or by an international organisation. In these circumstances it will be subject to equivalent legal protection through the supplier’s certification under the Privacy Shield Scheme.

As your personal data is stored on our IT infrastructure, and shared with our processors, it may be transferred and stored securely outside the European Economic Area. Where that is the case it will be subject to equivalent legal protection through the use of Model Contract Clauses.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113

casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:

Cabinet Office
70 Whitehall
London
SW1A 2AS
0207 276 1234

publiccorrespondence@cabinetoffice.gov.uk

The contact details for the data controller’s Data Protection Officer (DPO) are:

Stephen Jones
Data Protection Officer
Cabinet Office
70 Whitehall
London
SW1A 2AS

dpo@cabinetoffice.gov.uk

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

Updates to this notice

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties.

Last updated: December