Protecting our people's data: The RCN's employer privacy notice

Protecting the data of those who work for us, and who seek to work with us, is of the utmost importance.

In the same way that we are committed to protecting our members and customers' personal information, so too do we want you - our current and former staff, workers, job applicants and other individuals who engage with the Royal College of Nursing (RCN) in an employment context - to understand how we use the personal information that we hold about you before, during and after your time with us.

This document explains how we process personal data in manual and electronic records kept by the RCN in connection with our human resources function in accordance with current UK data protection legislation.

We may need to update this notice from time to time, and you should be aware that this notice does not form part of your contract of employment or any other contract we may hold with you to provide services.

It's also important that you read this notice alongside other policies and documents that we may provide from time to time when we are collecting or processing personal information about you so that you know how and why we are using that information.

Collecting and using your personal information

As an employer, the RCN is a "data controller" as defined in UK data protection legislation. This means that we are responsible for deciding how we hold and use personal information about you.

• Prospective RCN employees – those who sign up to our email job alerts and/or apply for vacancies advertised through our careers site.
• RCN employees – those who are employed by the RCN.
• Workers, contractors and consultants – those who directly or indirectly, e.g. through a recruitment agency, perform work on behalf of, or undertake a work experience placement with, the RCN for a time limited period.

We collect much of this data through our recruitment process – either directly or sometimes through a third party such as a recruitment agency. We also collect data from third parties such as your former employers. And we'll collect more personal information about you in the course of your relationship with us.

To enable us to fulfil our obligations arising from employment-related legislation and to perform the contract of employment or service that we have entered into with you, as well as the legitimate interests that arise from our relationship with you – whether ours, yours or a third party's – we collect and process personal information about you. Where the use of your data relates to the fulfilment of our, or a third party's, legitimate interests, we will only do so providing that your interests and fundamental rights do not override those interests.

Where no other lawful basis applies, we may seek to rely on your consent in order to process data. Where consent is to be sought, we will do so on a specific and individual basis where appropriate. You'll be given clear instructions on the desired processing activity, informed of the consequences of your consent and of your clear right to withdraw consent at any time.

Some of the data we hold is known as “special category” data under the UK's current data protection legislation, such as data relating to your health and trade union membership. We may also hold criminal offence data which relates to an individual's criminal convictions and offences. We process this data in accordance with the relevant legislation.

You should be aware that if you don't provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Some examples of what data we may hold are:

• Your personal contact details
• Evidence of your eligibility to work in the UK
• Information about your employment or engagement with us, such as your salary, office location and working pattern
• A photograph of you
• Equal opportunities data including your race or ethnicity, religious beliefs and sexual orientation
• Information about your health, including medical conditions and sickness absence

And some examples of why we hold such data are:

• To communicate with you during the recruitment process
• To check that you are legally entitled to work in the UK
• To pay you the correct rate for the work you do
• To identify you when you're on our premises
• To monitor and report on equality of opportunity
• To ascertain your fitness to work, support your wellbeing and fulfil our obligations under health and safety legislation
• To comply with various other regulatory and legal requirements.

We have measures in place to protect the security of your information. Most of your personal data is held on your personnel file – which may be both digital and paper – and accessed only by members of the HR team and management. Some data is held by management. Some data will be available to other RCN employees and those working for or on behalf of the RCN Group.

We keep your personal information for as long as is necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements. Once it is no longer required we will securely destroy it.

Who we can share your information with

We may also share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

This might include other RCN Group companies, and any subcontractors, agents, or service providers who work for us – for example our occupational health service provider.

Where we do so, we require such third parties to respect the security of your data and to treat it in accordance with the law, including that they use your data for the specific purposes of our relationships with them, in accordance with our instructions to them, and not for their own purposes.

We may share your personal information with other third parties, for example in the context of the possible restructuring of the organisation. We may also need to share your personal information with a regulator or to otherwise comply with the law.

Transferring your information overseas

Your information may be transferred and stored in countries outside the European Economic Area (EEA), including some that may not have laws that provide the same level of protection for personal information. If we do this, we'll ensure your information has the appropriate level of protection, such as encryption.

Your rights

You have the right to access the information that we hold about you, the right to ask us to update incorrect or incomplete details and the right to object to, or restrict, the processing of your personal information.

Any requests or questions regarding this notice, the RCN's data protection policy and any related documents should be sent to the Data Protection Officer, Royal College of Nursing, Copse Walk, Cardiff Gate Business Park, Cardiff, CF23 8XG or emailed to data.protection@rcn.org.uk.

Version 1.0 - 25 May 2018