Guidance

Employee Privacy Notice for Crown Commercial Service

Updated 26 September 2022

Your data

Purpose

The purposes for which we are processing your personal data are:

• to consider and decide applications for employment
• managing your employment contract
• to ensure that employees are paid correctly through our payroll provider, and to detect and prevent fraud
• to process any ad hoc payments outside of the payroll
• to ensure the correct rate of tax and national insurance is paid and to ensure the individual’s information held with HMRC is correct
• to provide a workplace pension
• to provide employee discounts, benefits and child care vouchers
• to monitor staff wellbeing, for example mental health first aiders, bullying, harassment, grievance and diversity support
• to track employees’ e-learning
• for business planning, including headcount reporting, absence reporting and workforce reporting
• to contribute to the compilation of statistics or central statistics
• for annual National Audit Office audit purposes
• to share with other public bodies when employees transfer between bodies on an individual, COSOP or TUPE basis
• for equality monitoring purposes
• to monitor usage of CCS ICT Assets inline with the ICT acceptable use policy, and to bill correctly for mobile telephony & technology use

The data

We will process the following personal data:

For recruitment:

name, address, telephone number, personal email address, sift and interview scores, eligibility to work, employment history, education/training history and qualifications, personal and work referee contact details, nationality, gender, disability status, reasonable adjustments, previous employment payslips, proof of identity.

For employees:

name, address, telephone number, personal email address, work email address, date of birth, marital status, gender, salary, staff pension details, bank details, national insurance number, next of kin details, emergency contact details, doctors details, job title, grade, work location, continuous service date, working pattern, working hours, complete job and pay history, previous employment details, previous education details, town of birth, country of birth, passport number, driving license number, passport issue date, driving license issue date, nationality at birth, present nationality, security clearance details including details of any criminal convictions or offences, proof of identity, ethnicity, sexual orientation, disability status, religion, gender at birth, health, optional photo for staff directory & HR systems, Official ICT Asset’s IP address, MAC Address, Telephone number, IMEI and country that the device is operating in.

Legal basis of processing

The legal basis for processing your personal data is:

For recruitment:

• it is necessary in order to take steps at your request prior to entering into a contract. In this case that is your application for employment and pre-employment checks
• it is necessary to comply with a legal obligation placed on us as the data controller. In this case that relates to eligibility to work checks, and reasonable adjustments under the Equality Act 2010

For employees:

• it is necessary for the performance of a contract to which you are a party. In this case that is your employment contract
• it is necessary to comply with a legal obligation placed on us as the data controller. In this case that is payment of tax and enrolment in a pension

In relation to optional photo for staff directory & HR systems:

• because you consent

Sensitive personal data

Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The legal basis for processing your sensitive personal data is:

For recruitment:

• it is necessary for the purposes of performing or exercising our obligations or rights as the controller under employment law. In this case that is to understand any disabilities to provide reasonable adjustments for applicants

For employees:

• it is necessary for the purposes of performing or exercising our obligations or rights as the controller under employment law. In this case that is to understand any health issues, or any disabilities to provide reasonable adjustments for employees
• processing is of a specific category of personal data and it is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with a view to enabling such equality to be promoted or maintained. This refers to equality monitoring

Criminal convictions personal data

We will check external applicants for jobs against the civil servant fraud database. The processing by us of personal data relating to criminal convictions and offences or related security measures is carried out because processing is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department; the exercise of a function conferred on a person by an enactment.

Employees will be expected to pass Baseline Personnel Security Standards, which will involve the processing of criminal convictions information. Our legal basis for this is that processing is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department; the exercise of a function conferred on a person by an enactment.

Recipients

Recruitment:

Your personal data will be shared by us with our Applicant Tracking System provider.

The information will be shared with ONS in order to compile statistics.

As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email, and document management and storage services.

Employees:

Your personal data will be shared by us with:

• ONS in order to compile statistics
• payroll providers
• pension providers
• security vetting providers
• HMRC for the purposes of taxation
• e-learning systems and providers
• self-serve HR systems
• employee benefit systems, and child care voucher schemes
• other public bodies if you are transferring to or from them
• mobile phone operators and billing system providers
• the National Fraud Initiative service operated by Cabinet Office to detect payroll fraud (NFI’s privacy Notice is here: https://www.gov.uk/government/publications/fair-processing-national-fraud-initiative/fair-processing-level-3-full-text)

As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email, and document management and storage services.

Retention

Data relating to job applications will be retained according to the Civil Service Commission guidelines of 2 years. The data will be reviewed on a quarterly basis and deleted if it has expired the retention period

For employees, the information will be retained for the purposes in which it was collected in line with our published HR retention schedule for a period of up to employee age 100. The data will be reviewed on a quarterly basis and deleted if it has expired the retention period.

Where personal data have not been obtained from you

Your personal data were obtained by us from your current employer.

Your rights

You have the right:

• to request information about how your personal data are processed, and to request a copy of that personal data
• to request that any inaccuracies in your personal data are rectified without delay
• to request that any incomplete personal data are completed, including by means of a supplementary statement
• to request that your personal data are erased if there is no longer a justification for them to be processed
• in certain circumstances (for example, where accuracy is contested), to request that the processing of your personal data is restricted
• to object to the processing of your personal data where it is processed for direct marketing purposes
• to request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format

In relation to staff photographs, you have the right:

• to withdraw consent to the processing of your personal data at any time

International transfers

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision or the use of Standard Contractual Clauses.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
icocasework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:

Cabinet Office
70 Whitehall
London
SW1A 2AS
Telephone: 0207 276 1234

https://www.gov.uk/guidance/contact-the-cabinet-office

The contact details for the data controller’s Data Protection Officer are:dpo@cabinetoffice.gov.uk

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.