DCMS privacy notice for employees, workers and contractors (UK)
Updated 14 August 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/dcms-privacy-notice-for-employees-workers-and-contractors-uk/dcms-privacy-notice-for-employees-workers-and-contractors-uk
1. Privacy notice purpose
The Department for Culture, Media and Sport (DCMS) is committed to protecting the privacy and security of your personal information.
This privacy notice describes how we collect and process personal information about you before, during and after your working relationship with us, in accordance with data protection laws, (i.e. the UK General Data Protection Regulation and the Data Protection Act 2018).
It applies to all current and former employees, workers and contractors; however, this notice does not form part of any contract of employment or other contract to provide services.
It may be the case that additional privacy notices are provided on specific occasions that will inform you of how and why we are using such information. Also, this privacy notice will be updated on a regular basis and so please see the intranet for an updated copy. Read our Personal Information Charter.
Your personal information may also be collected by the Government Recruitment Service (GRS) before you start your working relationship with DCMS. GRS is part of Civil Service HR in the Cabinet Office and GRS works to meet recruitment needs across government. Review the Civil Service Jobs Privacy Notice.
2. Data Protection Team contact details
The data controller is the Department for Culture, Media and Sport (DCMS). You can contact the DCMS Data Protection Manager at:
Operational Data Protection Team
Department for Culture, Media and Sport
100 Parliament Street
London
SW1A 2BQ
Email: dcmsdataprotection@dcms.gov.uk
Any questions about how we are using your personal data and your associated rights should be sent to the above contact.
The Data Protection Officer responsible for monitoring that DCMS is meeting the requirements of the legislation can be contacted at:
DPO
Department for Culture, Media and Sport
100 Parliament Street
London
SW1A 2BQ
Email: dpo@dcms.gov.uk
3. Information we hold about you
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
There are ‘special categories’ of more sensitive personal data which require a higher level of protection.
We may collect, store, and use the following categories of personal information about you when required:
- personal contact details such as name, title, addresses, telephone numbers, and personal email addresses Information about your social economic background such as details about the type of school you attended and your parents’ highest qualification and main job, if you choose to provide them to us
- dates of birth, marriage and divorce
- gender, and legal sex
- marital status and dependants
- information about any caring responsibilities you may have where these might significantly affect your ability to work your contracted hours where an event causes DCMS to work in different ways
- next of kin, emergency contact and death benefit nominee(s) information;
- National Insurance number
- bank account details, payroll records and tax status information
- salary, annual leave, pension and benefits information
- start date, leaving date and reason
- location of employment or workplace
- copy of driving licence, passport, birth and marriage certificates, decree absolute
- recruitment information (including copies of right to work documentation, your references and other information included in a CV or cover letter or as part of the application process)
- evidence of how you meet the Civil Service nationality rules and confirmation of your security clearance — this can include passport details, nationality details and information about convictions/allegations of criminal behaviour
- evidence of your right to work in the UK/immigration status
- full employment records for your employment (including contract, terms and conditions, pay and benefits, job titles, work history, working hours, promotion, evaluation, DCMS Rewards, expenses, absences, attendances, training records and professional memberships, achievements, and qualifications)
- information about your designation as a key or critical worker
- the result of interviews, tests or assessments as part of the recruitment process and any data or documents related to this process
- compensation history
- performance and appraisal information, talent information including talent biographies, talent scheme membership and learning records
- disciplinary and grievance information
- secondary employment and volunteering information
- CCTV footage and other information obtained through electronic means such as swipe card records or information on corporate systems
- information about your use of our information and communications systems
- photographs, videos
- your feedback and views related to DCMS and wider government functions based on surveys or engagement activities
- accident book, first aid records, injury at work and third-party accident information
- information relating to perceived, potential or actual conflicts of interest which you have shared with us per our conflict of interests policy
We will also collect, store and use the following special categories of more sensitive personal information:
- information about your race or ethnicity, religious beliefs, sexual orientation, and your political opinions, if you choose to provide them to us
- trade union membership
- information about your health, including any medical condition, health and sickness records, which may potentially include genetic information and biometric data
- in certain circumstances, where relevant, health information of others including dependents
- information about criminal convictions/allegations and offences
4. How your personal information is collected
We typically collect personal information about employees, workers and contractors through the application, recruitment and onboarding process, either directly from candidates or sometimes from an employment agency or background check provider.
We will sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies, including:
- employee’s doctors, medical and occupational health professionals (Health Partners)
- DBS (Disclosure and Barring Service)
- Home Office – UK Visas and Immigration
- Home Office – UK Border Force
- Cluster 2 Security Unit
- consultants and other professionals who advise DCMS generally
We will collect additional personal information in the course of job-related activities and attendance at office locations throughout the period of you working for us including information stored within your DCMS issued IT accounts.
Some information related to business activities may contain personal information about you and this applies during recruitment, while you work at DCMS and after you have left. Data will be retained in accordance with the DCMS records retention schedule and used in ways outlined in applicable DCMS policies and procedures.
Some information, such as the information about your social economic background, your race or ethnicity, religious beliefs, sexual orientation, and political opinions can be provided by you on a voluntary basis.
5. How we use information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- where it is necessary for performing the contract we have entered into with you
- where we need to comply with a legal obligation
- where it is in the public interest to do so, or for official purposes, or in the exercise of a function of the Crown, a Minister of the Crown or GLD as a government department, such as the provision of security checks
- where you have provided personal data on a voluntary basis and consent to DCMS processing the data in the way agreed. You are able to remove your consent at any time and we provide contact details for you when we use consent
- where it is necessary to protect your vital interests, or the vital interests of another person
- to identify and manage a perceived, potential or actual conflict of interest in line with the Civil Service Code
Additionally, we may also use your personal information where it is in our legitimate interests or the interests of third parties.
Where we use more than one legal reason to process your personal information we will identify what comes under each reason where possible.
The situations in which we will process your personal information include but are not limited to:
- making a decision about your recruitment or appointment
- determining the terms on which you work for us
- checking you are legally entitled to work in the UK and to provide you with the security clearance appropriate for your role
- civil servants, to check eligibility to become and remain a civil servant
- paying you — or recovery of any overpayment or payments as required for legal reasons such as to comply with a court order, and if you are an employee deducting tax and National Insurance contributions
- providing employment-related benefits to you including all types of leave in line with organisational policy, a pension, advances of salary and access to employee benefits platforms such as vouchers, including childcare voucher provisions etc.
- liaising with your pension provider, providing information about changes to your employment such as promotions, changing in working hours
- general administration of the contract we have entered into with you
- business management and planning, including accounting, auditing and business continuity
- conducting performance reviews, managing performance and determining performance requirements
- making decisions about salary reviews, and allowance and compensation
- facilitate colleagues from DCMS and other people outside DCMS get in touch with you as part of your official role
- assessing qualifications for a particular job or task, including decisions about promotions
- gathering evidence and any other steps relating to possible grievance or disciplinary matters and associated hearings
- making decisions about your continued employment or engagement
- making arrangements for the termination of our working relationship
- education, training and development requirements
- dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
- ascertaining your fitness to work, managing sickness absence
- complying with health and safety obligations
- to prevent and detect fraud or other suspected crimes, or activities which contravene the policies and standards required when working for DCMS
- to monitor your business and personal use of our information and communication systems to ensure compliance with our IT and acceptable use policies
- to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
- to conduct data analytics studies to review and better understand employee retention, attrition rates and understand employees opinions on certain topics and other organisational reporting needs
- equal opportunities and social economic background monitoring, if you choose to provide this information to us — this will include the further processing of the data with the addition of other factors, such as your gender, age, pay grade, and working pattern
- to fulfil our legal obligations under the Equality Act 2010
- dealing with Freedom of Information Act 2000, and Environmental Information Regulations 2004 requests, if data protection laws allow
- as a consequence of complying with statutory obligations such as disclosing data for Inquiries, Freedom of Information request or meeting data subject requests this may result in searches and extraction of data from DCMS issued accounts — this applies for the duration of the lifecycle of the account
- to comply with legal obligations such as statutory functions, share data as part of government inquiry such as the UK COVID-19 Inquiry, Independent Inquiry into Child Sexual Abuse and/or other official Inquiry or fact finding purposes
- to assess location usage based on card swipe information for estate planning purposes (including usage levels and to provide anonymised aggregated statistics of team attendance for senior leadership and Cabinet Office) and for security purposes such as the investigation of, prevention or detection of crime
- to supply references to prospective employers or educational institutes, or housing references where you have provided your consent for an employment reference to be taken
6. Legitimate interests
If personal information is to be used for purposes that do not relate to DCMS’ core functions or public tasks, processing may also be possible if it is necessary for the legitimate interest of DCMS or a third party, and does not negatively affect the rights and freedoms of the people whose data you are processing, that is, DCMS workers.
We will carry out a balancing of the legitimate interests of DCMS and/or the third party against the interests and fundamental rights of the individuals whose personal information would be processed. When performing this balancing test, DCMS will always need to consider the individual’s reasonable expectation of what is likely to happen to their personal information. Processing must also meet the strict requirements of being ‘necessary’. Examples of where we may use your personal data includes network and information security — where the processing of personal information is strictly necessary and proportionate for the purpose of ensuring network and information security.
7. How we use particularly sensitive personal information
Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We will, if necessary, process special categories of personal information in the following circumstances:
- where we need to carry out our legal obligations or exercise our employment-related legal rights and in line with our data protection policy
- where it is in line with our data protection policy, and deemed necessary, for example in:
- performing our functions as a government department or a function of the Crown
- equal opportunities monitoring (provided on a consent/voluntary basis)
- administering our pension scheme
- preventing or detecting unlawful acts
- where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards
- where we have your consent or it is information you voluntarily provide
- where it is necessary to protect your vital interests, or the interests of another person
- where it is needed in relation to legal claims
We will use your particularly sensitive personal information in the following ways:
- we will use information relating to leaves of absence; this can include sickness absence or family related leave, to comply with employment and other laws.
- we will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits
- we will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting if you choose to provide them to us — this will include the further processing of the data with the addition of other factors, such as your gender, age, pay grade, and working pattern
- this processing will be limited to individuals within HR and will not be shared without an appropriate sign off process — such sharing decisions are taken in accordance with advice provided by data protection colleagues, and also require the involvement of DCMS’s Data Protection Officer
8. Our use of your special category data
There may be circumstances where we process your special category personal data based on a lawful basis other than consent. Where we process your special category data based on consent – this information is provided by you on a voluntary basis and is also not a condition of your contract that you supply the information requested. As explained in the sections below covering your rights, you have the right to remove your consent for DCMS to hold or process this personal data (and have the personal data already provided deleted) at any point.
9. Failing to provide personal information
Some information you are required to provide in order for both parties to perform their requirements under your employment contract or because it is required to meet a legal requirement (e.g. health and safety, tax information). In circumstances where we have asked you to provide your personal and special category data on the basis of consent, we will make this clear and that you can withdraw your consent at any time.
10. Using information for a different purpose
We will only use your personal data in a way which complies with the lawful basis of processing we set out when we collected it. We will update this privacy notice if we need to use your personal information for an unrelated or new purpose.
11. How we use information about criminal convictions
We will only use information relating to criminal convictions or alleged criminal behaviour where the law allows us to do so. This can arise when it is necessary for us to comply with the law or for another reason where there is a substantial public interest in us doing so.
Less commonly, we will, if necessary, use information relating to criminal convictions or alleged criminal behaviour where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
We will only collect information about criminal convictions or allegations of criminal behaviour where it is appropriate given the nature of the role and where we are legally able to do so.
Where appropriate, we will collect information about criminal convictions/allegations as part of the recruitment process or if we are notified of such information in the course of you working for us. We will use information about criminal convictions/allegations and offences in the following ways:
- to make decisions regarding suitability for the role, or in relation to possible grievance or disciplinary matters and associated hearings
- reference policy or operational instructions relevant to this includes our Guidance for Recruiting Managers and National Security Vetting
- the code of conduct and any contractual terms and conditions which form your contract of employment with DCMS
We are allowed to use your personal information in this way where it is in line with our data protection policy and where one of the following reasons arises:
- where we need to carry out our legal obligations or exercise our employment-related legal rights
- where it is substantially in the public interest to do so and necessary for performing our functions as a government department or a function of the Crown
12. Third parties we might share your personal information with
We will in some circumstances share your data with third parties, including third-party service providers and other Civil Service bodies such as the: Civil Service Commission; Cabinet Office; Government Property Agency; Government Digital Services; the Advisory Committee on Business Appointments; Office of the Commissioner for Public Appointments and other government departments not named above.
We require third parties to respect the security of your data and to treat it in accordance with the law. We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you; where it is in the public interest to do so or where it is necessary for the performance of our functions as a government department or a function of the Crown or where we deem it appropriate or necessary to do so and when we can do so in a legally compliant way. This will, in some circumstances, involve sharing special categories of personal data and, where relevant, data about criminal convictions/allegations.
Where we are contacted by your new/prospective employer for an employment reference, or by a third party requesting a financial reference – for example to support tenant or mortgage applications, where necessary, we may also share your personal information. We may also share information on how your personal data relating to financial transactions may be used in counter-fraud and error data matching exercises.
‘Third parties’ includes third-party service providers (including contractors and designated agents) and other entities within the Civil Service. The following activities are carried out by third-party service providers: payroll, pension administration, benefits provision and administration, IT services, security vetting.
In certain circumstances, we may also share personal information with Civil Service HR (Cabinet Office), Ministry of Justice Casework Service, Employee Assistance Programme, Civil Service Workplace Adjustments Services and Civil Service Mediation Services, Civil Service Investigation Services.
These external parties include:
| Third party | Purpose |
|---|---|
| HM Revenue and Customs | Tax and pay |
| UKBF and UKSV | Visa applications and security vetting |
| Shared service providers | Administration of your HR, pay and pension records |
| Pension service providers, and any additional voluntary contributions providers including MyCSP | Pensions administration |
| The National Archives and any other holder of official records | If records are deemed to have historical interest |
| The Office of National Statistics | Data relating to special employment conditions, such as apprenticeships and fast-stream |
| External auditors including the National Audit Office | Variety of audit checks to assure compliance with process/policy |
| Third party service providers, such as childcare voucher schemes | Administration of benefits |
| Debt collection agencies | Collection of money owed post-employment |
| Occupational health providers including the Civil Service Workplace Adjustment Team (CSWAT) and Employee Assistance Programme (EAP). | Legal obligation to support employees health and wellbeing |
| Civil Service HR, including Civil Service Investigation Services and Civil Service Mediation Service | To support DCMS employees and ensure DCMS aligns where possible to Civil Service best practice. |
| MOJ Casework Services | To support DCMS Line Managers during complex employee casework |
| Outplacement support providers | Support for at risk employees |
| Lease and fleet car | Administration of lease and fleet car |
| Travel providers | Travel and accommodation arrangements |
| External records management providers | Storage of your HR, pay and pension records |
| Public authorities such as Police or investigatory authorities | If required by law or for the prevention, detection or prosecution of crime |
| Contractors or third party businesses or organisations to help develop or deliver services | Support for DCMS to develop or deliver products, policies, strategies or services |
| Facilitate secondment or loan | If you are seconded, loaned or redeployed to another employer |
| Government Property Agency(GPA) | To allow you access to GPA buildings |
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
13. Civil Service organisations we may share your personal information with
We will share your personal data with other Civil Service organisations in a number of situations, for example, as part of our regular reporting activities on departmental performance, in the context of a business reorganisation or restructuring exercise, for system maintenance support and hosting of data; business planning/talent management initiatives, succession planning, statistical analysis; and general management and functioning of the Civil Service. In each circumstance the sharing will only occur if it is compliant with data protection legislation and is justified.
Pseudonymised personal data — replacing most identifying fields within a data record by one or more artificial identifiers — is also shared with the Office for National Statistics, mainly for statistical purposes. The Office for National Statistics, along with other auditing bodies such as the National Audit Office can also see and review personal data in an audit. As mentioned above, personal information sent to the Cabinet Office for equal opportunities and social economic background monitoring can also be pseudonymised, and not anonymised (i.e. DCMS still holds the information which includes the identifiable staff numbers).
As part of the National Fraud Initiative your data may be shared with the Audit Commission.
If required, we may need to share your personal information with a regulator or to otherwise comply with the law.
14. Processing of your information outside the UK
We do not transfer personal data outside the UK however some of your personal data may be processed offshore by our services provider, MHR. Your personal data receives the same level of protection when processed offshore as it does onshore. This protection is delivered by the use of standard data protection clauses required by the data protection legislation.
15. Secure storage of your personal information
We have put in place measures to protect the security of your information.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
These measures will be documented in the contracts or data sharing agreements in place with the third parties. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They are directed to only process your personal information in accordance with our instructions.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are either legally required or deem it appropriate to do so.
16. How long we hold personal information
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in DCMS’ records retention schedule.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with the departmental retention schedule.
A very small percentage of government records containing personal information are selected for preservation at The National Archives. They are made available in accordance with the Freedom of Information Act 2000, as amended by the Data Protection Act 2018.
17. Your rights in relation to personal information
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Please contact the Data Protection team via dcmsdataprotection@dcms.gov.uk to exercise any of your rights listed below.
Under certain circumstances, by law you have the right to:
Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it. This can be where you have provided your personal data voluntarily and have then withdrawn your consent, or where you have objected to the processing of your personal data (see bullet points below).
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal information to another party. If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party.
Request to withdraw your consent. Where you have provided your consent to the collection, processing or transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time, and as above you also have the right to ask that we delete the information held, (for example, where you have provided information voluntarily on your social economic background, your race or ethnicity, religious beliefs, sexual orientation, and political opinions you can withdraw your consent, delete any information that you have access to, and then ask that we delete any further personal information held). Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Right to not be subject to automated decision making and profiling. Where decisions about you are being made by automated processes you have the right to have these decisions be reviewed by a member of staff and to be exempted from automated processing.
18. Complaints process
If you are not satisfied with the way your personal information is being handled, you can contact the Data Protection Officer to review how your personal information is being used:
DPO
Department for Culture, Media & Sport
100 Parliament Street
London
SW1A 2BQ
Email: dpo@dcms.gov.uk
You have the right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office (ICO) at any time. Should you wish to exercise that right, full details are available on the ICO’s website.
19. Changes to this privacy notice
This privacy notice was last updated on 1 September 2022.