Guidance

GDS and CDDO human resources privacy notice

Published 25 February 2019

This privacy notice covers the Government Digital Service (GDS) and Central Digital and Data Office (CDDO), part of the Cabinet Office, and sets out how we handle personal data relating to human resources (HR) and finance.

It describes how GDS and CDDO collect and use your personal information:

• when you apply for a job
• while you work with us as an employee or as a worker
• after you leave GDS or CDDO

This notice does not apply to contractors, who are subject to individual or commercial contracts, and does not form part of any contract of employment or other contract to provide services.

The data controller for GDS and CDDO is the Cabinet Office. This means it’s responsible for deciding how to hold and use personal information, in accordance with data protection law, including the General Data Protection Regulation (GDPR). Read the Cabinet Office’s entry in the Data Protection Public Register for more information.

Why we collect and process your personal data

We use your personal data for different purposes. During recruitment we will use it to:

• prove your identity
• prove your right to work
• perform background checks

While you’re employed with us, we will use it to:

• carry out tasks related to your employment, like contacting you, updating your records, performing evaluations, planning and reporting
• comply with the terms of your contract, including paying your salary, contributing to your pension, providing benefits, training and development opportunities
• allow your colleagues and other people outside GDS and CDDO to get in contact with you in your official role
• publish a blog post on the GOV.UK platform under your name
• monitor our recruitment and employment records to make sure we provide equal opportunities to candidates and staff
• provide training and development opportunities
• compile statistics, research and analysis that help improve Civil Service

We might need to use it in special cases to:

• bring or defend legal actions related to your employment
• respond to public inquiries and meet our legal duties under the Freedom of Information Act 2000, Environmental Information Regulations 2004, and the GDPR
• preserve records of historic value and meet our duties under the Public Records Act 1958
• assist regulators or law enforcement agencies in preventing, investigating, detecting or prosecuting a criminal offence

What information we hold about you

We hold both personal data and sensitive personal data.

Personal data means any information that relates to an identifiable living individual. It does not include anonymous data.

Personal data includes:

• name
• job title
• email address
• physical address
• IP address
• National Insurance number
• unique identifiers (such as session cookies)

Special categories of personal data is any data that is particularly sensitive. This is also known as sensitive personal data. It includes information such as:

• race or ethnicity
• political opinions
• religious beliefs, or those of a similar nature
• trade union membership
• physical or mental health
• sexual health or orientation
• genetic or biometric data

Sensitive personal data requires a higher level of protection.

When you apply for a job with us we collect, store and use:

• personal contact details
• copies of personal identification documents (such as a driving licence, passport, birth and marriage certificates, or decree absolute)
• proof of current address (such as a bank statement or council tax bill)
• evidence of how you meet the Civil Service nationality rules and confirmation of your security clearance - this can include passport details, nationality details and information about convictions/allegations of criminal behaviour
• evidence of your right to work in the UK and immigration status
• data to monitor diversity: information about your race or ethnicity, religious beliefs, sexual orientation
• information on your socio-economic background
• information about criminal convictions or allegations and offences as part of Baseline Personnel Security Standard checks
• evidence of how you meet the requirements of the job including CVs and references

Once you start working for us we’ll also collect, store and use:

• work email address and telephone number
• information on corporate roles you hold within the organisation
• dates of birth, marriage and divorce
• gender
• marital status and dependants
• next of kin, emergency contact and information on who you nominated in your will
• National Insurance number
• bank account details, payroll records and tax status information
• salary, annual leave, pension and benefits information (including state and occupational pension retirement age, current and previous pension scheme details)
• information regarding your wage, including allowances, overtime payments, bonuses and other payments
• start date - and leaving date for ex-employees
• work location
• full employment records, including contract, grade, job titles, employee number, work history, working hours, promotion, absences, attendances, training records and professional memberships compensation history
• performance and appraisal information, including 360 degree feedback
• talent information including talent biographies
• talent scheme membership

If we need to, we might also collect, store and use the following information:

• reservist status
• information required for the shared parental leave scheme - this will include information on you, your partner and your child
• disciplinary, investigation, whistleblowing and grievance information
• secondary employment and volunteering information
• information on learning and development, training, and professional development
• trade union membership
• information about your health, including any medical condition, health and sickness records
• information about business travel
• opinions and images published in staff blogs

How your personal information is collected

We collect the information listed above mostly during application and recruitment, either directly from you or sometimes from a third party such as an employment agency or background check provider.

These third parties include:

• former employers
• credit reference agencies
• Disclosure and Barring Service (DBS)
• other background check agencies
• other government departments
• pensions administrators
• medical and occupational health professionals
• psychometric testing professionals (for SCS candidates only)
• professionals who advise the department on general matters, or in relation to any grievance, conduct appraisal or performance review
• agencies that recruit workers

Our legal basis for processing your personal data

The legal basis we collect, use and hold your data under varies according to the stage of your employment.

When you apply for a job with us

Legal basis	Why does it apply?
Contractual	We need your personal data to take the steps required to enter into a contract with you. This applies to your application or pre-employment checks.
Legal obligation	The law requires us to check you’re entitled to work in the UK.
Public task	We need to process personal data to perform a task carried out in the public interest, or in the exercise of official authority. This applies to carrying out National Security vetting for some roles.

When you work for us

Legal basis	Why does it apply?
Contractual	We need personal data to uphold the terms of your employment contract with us. This applies to: - paying your salary and, if you’re an employee, deducting tax and National Insurance contributions - paying your leave days, including annual, sick, adoption, maternity, paternity and shared parental leave - and processing payslips - providing pension, advances of salary, season ticket loans, reward vouchers and bonuses - communicating to your pension provider about changes to your employment such as promotions and changes in working hours - general administration, including budgeting and cost management - performance management and talent reviews - assessing qualifications for a particular job or task, including decisions about promotions - managing sickness absence - making decisions about salary reviews and compensation - managing your career passport - details of any trade union role you have - gathering and managing information for grievance, investigations, whistleblowing or disciplinary matters and associated hearings - making arrangements to extend or end your contract - providing you with education, training and development - managing your membership of your Civil Service profession or function - processing bank cards and ePurchasing Card Solution (ePCS) applications - managing corporate credit cards - processing travel bookings - operating the Cycle to Work Scheme - publishing blog posts
Public task	We need to process personal data to perform a task carried out in the public interest, or in the exercise of official authority. This applies to: - sharing information with the wider Civil Service to make sure we do things efficiently - monitoring and reporting on providing equal opportunities to all employees, including workforce planning across government departments and pay framework analysis - co-operating with public inquiries, and preventing fraud
Legal obligation	We need personal data to comply with our legal obligation as data controller. This applies to: - providing tax and salary information to HM Revenue and Customs - dealing with legal disputes and accidents at work involving you - directly or indirectly - preserving historic records - responding to statutory requests under the freedom of information, environmental information and data protection legislation.
Consent	We process health-related data on the basis of consent when: - we need to access medical records or occupational health reports - you apply for some pension rights, like retiring for ill health We will ask for your explicit consent at the time. We will be relying on your consent if: - you ask us to set up workplace giving to a charity - you’re managed via the Workday platform and choose to add a photograph - you engage with our third party learning and development providers - you’re voluntarily publishing a staff blog - you engage in any surveys relating to your employment - you participate in employee networks or opt in to receiving newsletters - you participate in exit interviews or surveys to understand why you are leaving your employment

When you’ve stopped working with us

Legal basis	Why does it apply?
Contractual	We need personal data to uphold the terms of your employment contract with us. This applies to: - paying pensions and death benefits - processing exits from GDS including redundancy and ill health retirement
Legal obligation	If your personal data is passed to The National Archives to form part of the historic record, we will process it as a legal obligation, and it will be protected from disclosure. This also applies to responding to statutory requests under freedom of information, environmental information and data protection legislation - but only if that doesn’t breach your rights under data protection legislation.
Public task	We need personal data for tasks carried out in the public interest or in the exercise of official authority. This applies to co-operating with public inquiries.

The legal basis for processing sensitive and criminal convictions personal information

When you apply for a job with us

Legal basis	Why does it apply?
Public task: if we need it for reasons of substantial public interest in the exercise of our functions	This applies to processing information about criminal convictions, allegations and offences during baseline security clearance checks

When you are employed by us

Legal basis	Why does it apply?
To comply with law - where it relates to employee and employer’s legal rights and duties	This also applies to: - information about leaves of absence - this can include sickness absence or family-related leave - trade union membership information to pay trade union premiums and register the status of a protected employee - if we need it to assess your ability to work based on your health - if we need it to identify and review cases of non-equal opportunity or treatment based on race or national or ethnic origin, religious beliefs, or your sexual orientation - if we need it for reasons of substantial public interest for the exercise of our functions. This concerns information about criminal convictions or allegations - if we need it for legal claims, for example to deal with employment tribunal cases
Consent	This applies to: - occupational health or medical data - for benefits like the eye test scheme - any sensitive personal data revealed in blogs that you publish - exit interviews or surveys that help us assist you leaving your role and concluding any logistical formalities

What we do with your data

We will share your work contact details with other employees, and they might be shared with people outside of GDS or CDDO if there’s a business need.

In some cases we will have to share your data with third parties, including service providers, contractors, designated agents and other organisations within the Civil Service.

Where appropriate, we will share your data with the following third parties:

• Office for National Statistics, mainly for statistical purposes
• Government Internal Audit Agency, for audit purposes
• Government Legal Department, where we need to seek legal advice
• other government departments, for management of Civil Service Professions and Functions
• other organisations, if an employee transfers or is seconded to that organisation
• public inquiries
• IT infrastructure (Google, AODocs)
• payroll (Shared Service Connected Ltd)
• pensions administration (My CSP)
• employee benefits provider (Edenred)
• overseas healthcare insurance (Foreign, Commonwealth and Development Office, and their data processor Healix)
• recruitment administration (Oleeo for GDS and CDDO)
• occupational health provider (People Asset Management - previously OH Assist)
• workplace adjustment provider (Civil Service Workplace Adjustments Team)
• HR casework providers (Ministry of Justice Casework)
• booking of taxis (Goldstar Taxis and Greater London Taxi Hire Ltd), travel (Enterprise Rent-A-Car UK Limited) and accommodation services (Calder Conferences Ltd and Clarity)
• duties in respect of compliance, complaints and investigation (Civil Service Commission), advice under the Business Appointment Rules (Advisory Committee on Business Appointments), and casework in compliance with the Government Code for Public Appointments (Office of the Commissioner for Public Appointments)
• Fast Stream HR Self Service (SSCL, Workday and Fujitsu)
• engagement and communication tools for GDS and CDDO employees, such as Slack, Peakon and Mailchimp
• engagement tools for GDS and CDDO employees, such as Slack
• engagement tools across government departments, such as Knowledge Hub
• mass notification tool for business continuity support (Everbridge)
• workforce planning and pay framework data science analysis to improve our recruitment processes and ensuring equality and transparency
• offsite paper document storage (TNT)
• consideration of in-year bonus payments (In-Year Bonus Panel)
• Talent Teams in other government departments for talent management
• Talent and development programme providers (Future Learn, Apolitical, Pluralsight)
• 360 degree feedback provider (YSC)
• workplace giving provider (Charities Trust)
• Cycle to Work partner (Cycle Solutions)
• a regulator or law enforcement agency for preventing, investigating and prosecuting criminal offences
• a third party who makes a statutory freedom of information, environmental information or data protection request, if releasing your data does not breach your rights

Transferring information outside the UK

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the United Kingdom. Where that is the case it will be subject to equivalent legal protection through the use of Model Contract Clauses or Adequacy Decisions approved by the European Commission.

Some of your personal data may be processed offshore by our services provider, Shared Services Connected Limited (SSCL). SSCL use Centres of Excellence in the UK and in India to manage our back office services. Your personal data receives the same level of protection when processed offshore as it does onshore. This protection is ensured by the use of Model Contract Clauses approved by the European Commission. A copy of the model contract clauses are published on the Commission website.

How long we keep your data (‘data retention’)

We will only keep your personal information for as long as necessary for the purposes we collected it for - including legal, accounting, or reporting requirements.

This will depend on:

• the amount, nature, and sensitivity of the personal data
• the potential risk of harm from unauthorised use or disclosure of your personal data
• the purposes for which we process it
• whether we can achieve those purposes in other ways

Sometimes we will anonymise your personal information so that it can no longer be associated with you. In this case we will use it without notifying you.

Once you no longer work for us, we will retain and securely destroy your personal information in accordance with our data retention policy. Use the contact details below for more information.

Your rights

Under certain circumstances, you have the right to:

• request access to your personal information (known as a ‘data subject access request’) - you’ll receive a copy of the personal information we hold about you, so you can check that we are lawfully processing it. It also allows you to request an electronic copy of any data you have provided in a structured, commonly used and machine-readable format
• request that we correct incomplete or inaccurate personal information that we hold about you
• request we delete or remove your personal information - you can do this when there is no good reason for us to keep it - you can ask us to delete or remove your personal information where you have exercised your right to object to processing (see below)
• withdraw your consent for any data processed under the lawful basis of consent (see below)
• object to processing of your personal information where we are relying on the legal basis that we are carrying out our public task (see legal bases above)
• request the restriction of processing of your personal information - this enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it

To make any of the requests above or to ask us to transfer a copy of your personal information to another party, please contact the GDS People Team mailbox: peopleteam@digital.cabinet-office.gov.uk.

Accessing your data

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, if your request for access is clearly unfounded or excessive we may:

• charge a reasonable fee
• refuse the request

In some cases we will need some information to confirm your identity. This is to ensure that your personal information is not disclosed to someone who has no right to access it.

Questions and complaints

The data controller for your personal data is the Cabinet Office.

If you have any questions about this privacy notice contact the GDS People Team mailbox: peopleteam@digital.cabinet-office.gov.uk

The Data Protection Officer provides advice and monitors Cabinet Office’s use of personal information. If you have any concerns about how your personal data has been handled, please contact the DPO:

Data Protection Officer

Cabinet Office
70 Whitehall
London
SW1A 2AS

Email DPO@cabinetoffice.gov.uk

If you have a complaint, you can also contact the Information Commissioner, who is an independent regulator set up to uphold information rights.

Information Commissioner's Office

Email icocasework@ico.org.uk

Contact form https://ico.org.uk/glo...

Telephone 0303 123 1113

Textphone 01625 545 860

Changes to this privacy notice

We may change this privacy notice. If these changes affect how your personal data is processed, we will take reasonable steps to let you know.