Purpose of this document
The Oxfordshire Training Hub (OTH) are committed to protecting the privacy and security of your personal information.
This privacy notice describes how we collect, store, use and share personal data about you during and after your working relationship with us in accordance with Data Protection Laws, including the General Data Protection Regulation (GDPR).
This notice applies to all current and former federation employees who have engaged with the OTH Bursary Scheme and those who have been granted bursary funding. This notice does not form part of any contract of employment or other contract to provide services.
The OTH is hosted by OxFed Health and Care Ltd who is a registered “data controller”. This means that OxFed are responsible for deciding how your personal information is processed and retained. We are required under data protection legislation to notify you of the information contained in this privacy notice. OxFed may be found under reference ZA236420 on the Information Commissioner’s site at https://ico.org.uk/esdwebpages/search.
It is important that you read this notice, together with any other privacy documents that are provided on specific occasions when we are collecting or processing personal data about you so that you are aware of how and why we are using such information.
OTH has set up a Bursary Scheme to increase access to advanced clinical practice programmes. The aim of this scheme is to progress practice roles within primary care, more specifically within General Practice.
The bursaries will be awarded twice a year to allow opportunities for further training in the first as well as second half of the year. The healthcare professional will receive 60% in funding of the cost of the study programme from OTH. The remainder of the programme shall be funded by the practice where the individual is employed or by the individual themselves.
The information we hold about you
‘Personal data’, or ‘personal information’ means any data about an individual from which that person can be identified. This does not include information where the identity has been removed and the data has been anonymised.
There are “special categories” of more sensitive personal data which require a higher level of protection. This includes information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
Data Protection Principles
We will comply with Data Protection Laws which state that the personal data we hold about you must be:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- Relevant to the purposes we have told you about and limited only to those purposes;
- Accurate and kept up to date;
- Kept only as long as necessary for the purposes we have told you about;
- Kept securely.
Our lawful grounds for processing
The GDPR and Data Protection Laws require us to rely on one or more lawful ground to process your personal information. We will only use your personal data when the law allows us to. Most commonly, we will process your personal information in the following circumstances:
‘Where necessary for the purpose of the legitimate interest pursued by us or a third party’.
The legitimate interests we rely on are:
- It is our legitimate interest to process your data prior to, during and after the bursary scheme. Processing is necessary for performing the agreement we have entered into with you to ensure we can fulfil our purpose by providing you with a bursary.
- The processing is also necessary to ensure regulatory compliance. If we are unable to process your personal data, we cannot engage with you as we will not be in a position to meet our contractual obligations with our commissioners (the Clinical Commissioners Group (CCG)), local authorities and our legal obligations in accordance with UK Laws and our regulators, the Care Quality Commission (CQC).
- To safeguard the health and safety of our employees, service users and premises.
‘Where we need to protect your vital interests (or someone else’s interests)’.
We rely on vital interests if we need to process your personal data to protect yours or someone else’s life in the event that you are unable to provide consent. For example, in a medical emergency your information may need to be shared with the ambulance services.
Consent means offering you real choice and control. In certain situations, we may request to process and share certain information internally, for example, photographic imagery for the purpose of the OTH and OxFed team briefs, newsletters, notice boards etc. If this is necessary, we will provide you with a Model Release form and obtain your explicit consent. Your consent may be withdrawn at any time.
Your data will be stored securely in a range of different places including, your personnel file, within the HR management platform and other IT systems if applicable (including our secure and NHS-approved email system). This data will be restricted to certain employees who require access to this information to carry out their role, e.g. Human Resources (HR) and People Services.
Employees and those engaging with the OTH Bursary Scheme
We may collect, store and process the following categories of personal data about you:
- Your title, name, address and contact details including telephone numbers and personal email addresses, date of birth and gender;
- the terms and conditions of your employment with the practice and/or engagement with us, i.e. employment contract or bursary agreement;
- your qualifications, skills, experience and employment history, including start and end dates with previous employers and engagement period with us; and
- details included via feedback forms upon completion of the course subject to your consent.
There may be instances where we are required to collect, store and process the following “special categories” of sensitive personal data:
- Information about your health, including any medical conditions, disabilities, health and sickness records for reasonable adjustments to be made;
- Information about criminal convictions/ allegations and offences;
- Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions for the purposes of equal opportunities monitoring. This information is anonymised and collected with your consent only which can be withdrawn at any time. You are entirely free to decide whether or not to provide such data and there are not any consequences of not doing so.
We may collect this data in a variety of ways. For example, data might be collected through application forms, CVs or resumes, your passport or other identity documents such as your driving licence, forms completed by you at the start of or during your engagement such as the employee form, correspondence with you, through interviews, meetings or other assessments.
In some cases, we may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from the DBS and criminal records checks as permitted by law.
There may be instances where you are required to attend our offices based within Northway Community Centre. The centre also provides facilities to members of the local community and therefore it is important that the safety of the local community, patients, staff including applicants, customers, suppliers, our business contacts and our business overall is monitored in order to prevent and detect crime and anti-social behaviour.
The centre monitors this by storing and processing photographic/ video imagery by way of CCTV on our premises. This data is controlled by Mr Graham Bellinger, a volunteer at the centre who determines that manner in which it is processed and has overall responsibility and control over it. The OTH and OxFed have been provided data processing rights of this information to also store and process the information. For further information, please contact our Assistant Director of Operations, Mrs Sheree Martin, email@example.com.
Situations in which we will process your personal data
The situations in which we may process your personal data are listed below:
- provide references on request for those that have engaged with our Bursary Scheme;
- respond to and defend against legal claims;
- equal opportunities monitoring;
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace where applicable;
- operate and keep a record of performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
- monitoring, storing and processing imagery by way of CCTV on our office premises to prevent and detect crime; and
- photographic/ video imagery of you at team social events and other photographs for the purpose of our newsletters, briefings, internal notice board etc.
Who has access to this data?
Your data will be shared with the practice where you are employed and HEE, the funding providers, for the purpose of obtaining the bursary you have applied for. We will not be in a position to provide you with the course funding without sharing this information.
There may be limited circumstances where your data will also be shared with the relevant course provider or any other third parties where necessary to facilitate your enrolment on the course.
Your data may also be shared with law enforcement or other authorities if required by applicable law.
We will not transfer your data to countries outside the European Economic Area (EEA).
How we protect your data
We take the security of your information seriously. Internal policies and controls are in place to ensure that your information is not lost, accidentally destroyed, misused or disclosed and is not accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal data upon our instructions.
Where we engage third parties to process personal data on our behalf, this will be carried out on the basis of written instructions, under a duty of confidentiality and under an obligation to implement appropriate technical and organisational measures to ensure the security of your data.
How long we retain your data
Except or as otherwise permitted or required by applicable law/ regulatory requirements, we shall retain your personal information only for as long as we believe it is necessary to fulfil the purposes for which the personal information was collected. This includes for the purpose of meeting any legal, accounting or other reporting requirements or obligations.
The periods for which your information is held after the end of employment/ engagement are:
- Basic data for the provision of references is retained for 10 years – this includes name, start date end date, practice job role and Bursary Scheme information.
- All other data relating to your employment will be destroyed 6 years after the end of each tax year following your departure from the organisation in accordance with s.5 of the Limitation Act 1980.
You may request that we delete the personal information that we hold about you. There are instances where applicable law or regulatory requirements allow or require us to refuse to delete this personal information. In the event that we cannot delete your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
What if you do not provide personal data?
If you fail to provide certain information when requested, we will not be able to fully perform the agreement we have entered with you or we could be prevented from complying with our legal and contractual obligations. Failing to provide certain information may mean that you are unable to exercise your statutory rights and may hinder our ability to administer the rights and obligations arising as a result of the employment or engagement relationship efficiently.
Under the Data Protection Laws, you have a number of rights. These rights include;
- Fair processing of information and transparency over how we use your personal information;
- Access to and/or obtain a copy of your personal information on request in a structured format and have the right to transmit the information to a third party in certain situations;
- require us to change incorrect or incomplete information;
- require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
- withdraw your consent/ object/ erasure of specific processing in certain circumstances.
Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you would like to exercise any of the above rights, have any questions about this privacy notice or how we handle your personal data, please contact our OTH Head of Programmes, Ms Rachel Wensley, firstname.lastname@example.org. Please ensure you provide proof of your identity (passport or driving licence) and address (in the form of a recent utility bill or bank statement) along with your request so we can deal with your query promptly.
You have the right to make a compliant at any time to the Information Commissioner’s Officer (ICO), the UK supervisory authority for data protection issues.
Changes to this privacy notice