The information you supply or have supplied to the council is regulated by the General Data Protection Regulation (GDPR). This legislation specifies:
- what information can be collected
- how information is stored and used
- the period during which information is stored
- your rights to view and correct the information held
- your right to "be forgotten".
During the application process and during your working life with the council, you are asked to supply personal information for a range of HR processes. This includes your name, address, date of birth, gender, national insurance number and (for some employees only), passport number, birth certificates/marriage certificate, start date, salary, post, work absence information and so on.
Most of the information you provide is required so we pay you correctly and ensure you pay the correct amount of income tax for example. However some data like details on equalities, are provided on a voluntary basis. To comply with data protection legislation, we will make it clear that answering these type of questions isn't mandatory.
Data controller and purpose
The information you have provided and for current staff, continue to provide during your working life will be processed by the London Borough of Tower Hamlets’ Human Resources (including Payroll and Pension) Service to ensure that your employment is legally sound and that we can (for example) provide a safe working environment and pay your salary or pension correctly. We process your data in accordance with the GDPR and if you have any concerns, the council’s Data Protection Officer can be contacted at DPO@towerhamlets.gov.uk.
The appendix details what data we collect and process and the reasons why.
Condition for processing personal data
The appendix details why it is necessary for us to process your personal data and the section of the GDPR under which the data is lawfully processed.
How long do we keep your information?
We will only hold your information for as long as is required by law and to provide you with the necessary services. This will vary according to the information supplied. For example information regarding you and your pension will be retained until after your death and so potentially for many decades.
We may also anonymise some personal data you provide so you cannot be identified and use this for statistical analysis to help the council target and plan the provision of services.
Information sharing
Your personal information may be shared with internal departments or external partners and agencies involved in delivering services on our behalf. For example the information you supply to the council will be processed by Northgate, who manage the HR/Payroll computer system, Altair who manage the computer system used by the pensions team and shared with HMRC to ensure you pay the correct tax. The appendix gives details of the organisations we may share your data with and the circumstances where it may be shared.
The council has a duty to protect public funds and may use personal information and data matching techniques to detect and prevent fraud, and ensure public money is targeted and spent in the most appropriate and cost-effective way. Certain information may be shared with internal services and external bodies like the Audit Commission, Department for Work and Pensions, the Home Office, other local authorities, HM Revenue and Customs, and the Police.
Automated decision making and profiling
Some of the data you provide may be processed by computer and therefore automated decisions may be made. For example your salary payments will, in the main, be calculated automatically. You can ask for this to be explained to you; please check the ‘your rights’ section. We may also use the data to build a profile of the council workforce, to ensure equalities of opportunity and to investigate service delivery improvements. This data would normally be anonymised and never used to make decisions on a specific individual.
Requesting access to your personal data
Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information, contact the council’s data protection officer at DPO@towerhamlets.gov.uk.
You have other rights in respect of your data, for example the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed.
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with council’s data protection officer at DPO@towerhamlets.gov.uk in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/.
Your rights and responsibilities
For the purposes of the GDPR, London Borough Tower Hamlets is the Data Controller. Where you are requested to provide information to us, any delays in providing it may result in a delay in the Council providing appropriate services to you. We process your data in accordance with the GDPR. If you have any concerns the Council’s Data Protection Officer can be contacted on DPO@towerhamlets.gov.uk.
You can find out more about your rights under GDPR (including details of your rights about automated decisions, data rectification etc) on the GDPR page.
This notification provides information on the processing of your personal data and as such overrides any previous data protection clauses in your contract of employment as previously issued to you. It is required to ensure that the council acts in accordance with the GDPR.
Appendix 1
The information that we collect and process and the reasons why we do so.
Appendix 1
| Information | Reason |
|---|
| Information Asset System |
- Northgate (HR and Payroll)
- Ebulk (DBS)
- Grasp (Recruitment)
- Altair (Pensions)
|
| Personal data collected from all employees |
- Name
- Address
- Date of Birth
- National Insurance No.
- Evidence of eligibility to work in the UK
- Bank details Gender (for purposes of pension calculations)
- Other information that may be required in order to process terms and conditions/changes during employment life cycle
|
| Personal data collected from employees when required* |
Information may be collected from some employees in order to process specific terms/changes during the employment life cycle. This could include:
- Maternity, adoption, shared parental leave documentation and birth certificate(s) of child(ren)
- Car documentation (insurance, MOT, registration)
- Pension membership details including other pension scheme membership
|
| Criminal conviction data |
Employees who occupy posts that are eligible for a DBS check to be undertaken will be required to provide appropriate documentation in order for the check to be carried out and where appropriate provide details of any convictions. The result of the check will be recorded electronically. |
| GDPR conditions for processing |
- 6(1)(b) performance of a contract;
- 6(1)(c) compliance with a legal obligation;
- 6(1)(e) task in the public interest or official authority vested in the controller
|
|
Sensitive personal data collected Sensitive personal data is a specific set of “special categories” that must be treated with extra security. These categories are:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade Union membership
- Genetic data
- Biometric data
|
- Equalities information (collected on voluntary basis - not required by the council)
- Trade union membership for DOCAS purposes (collected on voluntary basis - not required by the council)
- Data concerning health
|
| Conditions for processing |
- 9(2)(b) employment, social security or social protection law, collective agreement;
- 9(2)(f) establishment, exercise or defence of legal claims;
- 9(2)(g) substantial public interest on the basis of Union or Member State law;
- 9(2)(h) preventative or occupational medicine, working capacity of the employee, medical diagnosis, the provision of health or social ca
|
| Brief description of the capture, processing, use and retention of data |
Information supplied by employee on job application forms, at beginning of employment and during employment life cycle. Information held electronically on iGrasp (recruitment); HR/Payroll system and where required Altair (Pensions system) and disposed of in accordance with the Records management Policy and Resources Directorate Disposal Schedule. |
| What would happen if data is not provided? |
- The council would be unable to pay employees or adhere to aspects of employment legislation (e.g. Employment Rights Act, Immigration legislation)
- Would be unable to process salary payments and Tax. (Payroll)
- Would be unable to collect pension contributions or pay pension.
- Decisions on job adaptations, continued employment etc. would be taken without expert advice from (e.g.) GP/hospital consultant. (Occupational Health)
|
| Data Sharing Agreement |
- Contract
- Medical with Consent (Occupational Health)
|
| If the data is transferred from a 3rd party to LBTH; Name and role of 3rd party |
On occasions data will be transferred to LBTH under the following circumstances
- TUPE transfers from other employers
- Transfer of employees from other employers
- Agencies for agency workers who are transferred to council HR/Payroll system
- Home Office (Immigration Service), DWP and other Government Departments
- Pension transfer information from other pension schemes
|
| GDPR condition under which the 3rd party captures and processes the data |
- 9(2)(b) employment, social security or social protection law, collective agreement;
- 9(2)(h) preventative or occupational medicine, working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management (Occupational Health)
|
| If the data is transferred to a 3rd party from LBTH; Name and role of 3rd party |
On occasions data will be transferred from LBTH under the following circumstances
- TUPE transfers to other employers
- Agency vendor (currently Adecco) for agency workers
- Home Office (e.g. Immigration Service), DWP and other Government Departments
- Agilisys for administration of IT systems
- Northgate for administration of HR/Payroll system
- Other pension scheme providers
- Hyman Robertson Actuaries for pension fund valuations
- Altair (Aquila Heywood)for administration of computer systems (Pensions)
- Health Management Ltd – Occupational Health providers
- GPs, NHS Trusts (Occupational Health)
- Other employers when specifically required e.g. in relation to shared parental leave
|
| If the data is transferred to a 3rd party from LBTH, reason for transfer |
- To ensure legal compliance (e.g. TUPE legislation; right to work in the UK) and correct processing of HR and payroll information
- To ensure correct pension is paid regardless of employer at time of retirement
- To ensure the correct calculations for deduction of pension contributions and pension payment
- To receive accurate information on medical conditions to ensure a correct diagnosis for purposes of workplace adjustments, medical retirement and the management of sickness absence
- To ensure the correct payment of statutory payments e.g. in relation to shared parental leave
|
| Is there an automated decision point? What is decided and on what basis |
For example:
- Data on unsuccessful job applicants – 6 months
- Pensions records – 6 years after final pension payment
- Occupational Health - up to 75 years, depending on age of employee
- Information related to employment - generally 6 years after end of employment, some shorter, some much longer (for pension purposes) and some permanent retention.
|
*Some information is not required from all employees e.g. information relating to cars is only for employees receiving car allowances. Note that this is not an exhaustive list