Employee privacy notice
The purpose of this document
Norfolk County Council (the County Council) is the "data controller" under the UK General Data Protection Regulation (GDPR) for the personal information held by the County Council. This means that we are responsible for deciding how we "process" (that is, collect, hold, use and disclose) your personal information. Our address is County Hall, Martineau Lane, Norwich, Norfolk NR1 2DH.
The County Council is committed to protecting the privacy and security of your personal information. By personal information, we mean information which, by itself or with other data available to the County Council, can be used to identify you.
This privacy notice:
- sets out how we look after your personal information
- describes how we collect, use and share your personal information and
- tells you about your privacy rights and how the law protects you.
This notice applies to current and former employees, including employees on zero hours or flexible contracts and casual workers. This notice does not form part of your contract of employment or contract to provide services.
Other workers including agency workers, office holders, interims or contractors are also covered by this notice where specified.
How the law protects you and the legal basis for processing your information
We must have a lawful basis for processing personal information. Our lawful basis for doing so will include:
- where the processing is necessary for the performance of a contract of employment or other contractual arrangement we have with you
- where the processing is necessary for the performance of a legal duty or to perform of a task of function carried out in the public interest.
- where the processing is necessary for the purposes of our legitimate interest
- where the processing is necessary for the compliance of a legal obligation to which the County Council is subject
- when you consent to it.
Our public task and legal duties and obligations include:
- Employment Rights Act 2002
- Income Tax (PAYE) Regulations 2003
- National Insurance Contributions and Statutory Payments Act 2004
- Statutory Shared Parental Pay (General) Regulations 2014
- Statutory Maternity Pay (General) Regulations 1986
- Statutory Paternity Pay and Statutory Adoption Pay (General) Regulations 2002
- Transfer of Undertakings Regulations 2006
- Local Government Act 1972
- Asylum and Immigration Act 2006
- Safeguarding Vulnerable Groups Act 2006
- Equalities Act 2010
- Gender Recognition Act 2004
- Gender Pay Gap Reporting Regulations
- Local Government, Planning and Land Act 1980
- Children Act 1989
- Trade Union Act
- Health and safety legislation
- Local Audit and Accountability Act 2014
- National Health Services Act 2006
- Health Service Control of Patient Information Regulations 2002
- Fire and Rescue Services Act 2004
- Education and Inspections Act 2006
- Care Standards Act 2000
- Health and Social Care Act 2008
- The Care Act 2014
- The Climate Change Act 2008 (2050 Target Amendment) Order 2019
Special category data
Under the GDPR particularly sensitive personal information, known as special category data, require higher levels of protection. For example, information about an individual's:
- ethnic origin
- trade union membership
- biometrics (where used for ID purposes)
- sex life
- sexual orientation
We may use your special category personal information in the following ways:
- Information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws.
- Information about your physical or mental health, or disability status, to ensure your health and safety in the workplace, to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer the occupational sick pay scheme.
- Information about your race or national or ethnic origin, religious beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting, or to provide support and guidance to you e.g. right to work status.
- Trade union membership information to pay trade union premiums.
Our lawful basis for processing this type of personal information includes:
- Where it is necessary to carry out our legal obligations or exercise rights in relation to your employment with us.
- Where it is necessary for the purposes of preventative or occupational medicine and assessing your working capacity as an employer
- Where it is necessary for the establishment, exercise or defence of legal claims
- Where it is necessary for reasons of substantial public interest including:
- For the exercise of a function by enactment or rule of law. The functions are the public tasks and legal duties set out above
- For the prevention or detection of unlawful acts or protecting the public against dishonesty
- For making a determination in connection with our occupational pension scheme. This will only be where we cannot reasonably be expected to obtain your consent and we are not aware of you deciding to withhold your consent.
- For the administration of justice or a statutory function of the Council
- For equal opportunities monitoring. This is subject to several safeguards, including your right to give notice that you do not want your data to be used in this way.We will explain this right further to you at the time this information is collected
- For the safeguarding of children and individuals at risk
- In limited circumstances, your explicit written consent. If we seek your consent, we will provide you with full details of the information we wish to process and the reasons for processing. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
The GDPR includes safeguards to protect the use of your special category data and criminal conviction data. Further details can be found on our website in the document named Special category data and criminal offences data policy which sets out our procedures for compliance with the principles of the GDPR and the retention and erasure of this information.
Criminal convictions data
Information about any criminal convictions is also given a similarly higher level of protection under the GDPR.
The lawful basis for processing staff criminal convictions are:
- For the performance of our public task and it is in the substantial public interest
- For the performance of a contract and it is in the substantial public interest
We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you or by the police while you are working for us. We will use information about criminal convictions and offences to assess your suitability for continuing employment in your post or with Norfolk County Council.
The GDPR includes safeguards to protect the use of criminal conviction data. Further details can be found in the Convictions - Employing People with Criminal Convictions Policy P112b, available on the Norfolk County Council intranet, and in our Special category data and criminal offences data policy which sets out our procedures for compliance with the principles of the GDPR and the retention and erasure of this information.
What we use your personal information for
The use of your information is set out below. This applies to all staff except agency workers, contractors, interims etc. In the case of these workers, we use your information for the purposes marked: *
We will use your personal information for:
- Deciding to appoint you to a job*
- Determining the terms on which you are employed*
- Checking you are legally entitled to work in the UK*
- Checking you are legally entitled to work with children or vulnerable adults*
- Checking whether you are entitled to work in 3rd party confidential environments
- Paying you, and making tax and NI deductions as required by HMRC (also workers paid by NCC under IR35)
- Process timesheets or invoices to enable payment for work undertaken to be made (Non-employees only) *
- Statutory reporting to HMRC*
- Statutory payments and deductions - e.g. Statutory Sick Pay, Statutory Maternity Pay etc
- Liaising with the relevant pension's provider
- Updating your employment record to reflect changes to your contract
- Employee benefit scheme that you have signed up for - e.g. Norfolk Rewards, Childcare Vouchers, Car lease Salary Sacrifice Scheme, Cycle to Work, Shared Cost Additional Voluntary Contributions Scheme
- The promotion of our employee benefit schemes
- Awarding incremental progression
- Employee liability information in advance of a TUPE transfer
- Reviewing performance, managing performance and objective setting
- Gathering evidence about grievance, disciplinary or other capability investigation
- Making decisions about your continued employment or engagement
- Making arrangements for the termination of your employment or engagement
- Dealing with legal disputes involving you or other employees, workers and contractors including accidents at work
- Ascertaining your fitness to work
- Managing sickness absence
- Identifying and implementing adjustments
- Complying with health and safety obligations
- Workforce planning*
- Conducting testing of new payroll functionality or enhancements
- Carrying out data analytics to review workforce trends, application of terms and conditions
- Equal opportunities monitoring
- Workforce reporting requirements e.g. workforce census, Gender Pay gap reporting*, Trade union facilities time, Local Government Transparency Code 2015
- Monitoring the use of information, communication and printing systems to ensure compliance with our information management policies and the Conduct and Behaviour Policy P319
- Ensuring buildings, network and information security, including preventing unauthorised access to our buildings, computer and electronic communications systems and preventing malicious software distribution*
- Health surveillance
- Lone working tracking and vehicle tracking
- Recording meetings/events (e.g. audio or video recordings)
- Producing photographic identification material, e.g. ID badges
- Preventing, detecting and investigating fraud (Further information is available on the Norfolk County Council intranet)
- Responding to statutory inspections by HM Inspectorate of Constabulary and Fire and Rescue Services; Ofsted and the Care Quality Commission
- Completing audit assurance work to provide the Audit Committee with an annual opinion on the overall adequacy and effectiveness of the County Council's framework of risk management, governance and control.
- Communicating with you and seeking your views about employment and workplace related issues e.g. employee engagement survey; processes and procedures; use of software; Smarter Working
- Supporting organisational information e.g. phone book, structure charts, first aider/evac chair operator*
- Administering and implementing a National Immunisation Vaccination Service (NIVS) (e.g. flu) immunisation programme for the Council's staff (we do not collect your vaccination status but will know if you make a claim for funding towards a flu vaccination under the scheme).
- Identifying you for occupational testing eligibility
- Claiming funding from the European Structural and Investment Funds (ESIF) - only applies to ESIF funded roles)
- Claiming funding from Communities Renewal Fund and Shared Prosperity Fund when funding from ESIF terminates.
- Monitoring usage and providing access to car parks (County Hall)
- Monitoring and improving the performance of services within the Adult Social Services transformation agenda.
- Produce ID Badges* and Swipe Cards
- Creating and maintaining the Council's business continuity plans for incidents. There is more detailed information about how we might use your information in the Resilience Service Privacy Notice. There may be a business continuity plan(s) specific to your work area or role.*
- Reviewing travel use to support employees to adopt greener transport choices and reduce the council's carbon footprint
What information do we hold about you?
The information we hold about you applies to all staff except agency workers, contractors, interims etc. In the case of these workers, we use your information for the purposes marked: *
The information we hold about you may include:
- Personal details
- Date of birth*
- Marital/civil partnership status
- Contact details
- Home phone number*
- Personal mobile number*
- Work mobile number*
- Personal email address*
- Work email address*
- Other kinds of national identifier
- National Insurance Number (NINo)*
- NHS number
- Police National Computer Number (PNC No.)
- Biometric residence card number
- Driving licence
- Special category data
- Racial or ethnic origin
- Diversity declaration form
- Religious beliefs
- Union membership deductions
- Sexual orientation
- Health data including disabilities
- Sickness absence
- Occupational health and MIRS referrals, reports and letters
- Pre-employment health check outcome
- Access to work assessments and adjustments recommended and implemented
- Criminal convictions and offences*
- Pre-employment declarations
- Schools and further / higher education establishments attended
- Employment history*
- Former employers/work history
- Breaks in employment and reasons for these
- Professional qualification(s)
- Professional membership(s)
- DBS status
- Vetting records
- Current employment
- Start date in post
- Start date with Norfolk County Council
- Continuous local government service
- Employee number/payroll number
- Name of Department/Service
- Holiday entitlement
- Recruitment information including application form
- Right to work documentation*
- Information included in an application form or CV including supporting statement as part of the recruitment process*
- Psychometric or other skills tests as part of a recruitment or assessment process
- Employment records e.g. posts held, change of hours/location/length of contract
- Working hours (full time or part time) and flexitime records
- Training or other learning certification and/or records
- Incident report forms
- Sickness or other paid absences e.g. maternity, disability leave
- Parental leave or other unpaid absence
- Flexible working requests
- Health and safety information e.g. incident forms, Display Screen equipment assessment
- Performance development discussion records
- Disciplinary and grievance records
- Formal performance management/ capability records
- Preferred contact method
- Paper payslips
- Name "known as"
- Bank details*
- Salary and payroll information
- Insurance claims
- Compensation payments
- Tax code and status
- Pension deductions
- Salary sacrifice deductions
- Statutory deductions e.g. child support, student loans
- Give As You Earn
- Contractual information
- Employment contracts including written statement of particulars and offer letter
- Social Relationships
- Marital or civil partnership status
- Next of Kin
- Emergency contact
- Documentary Data
- Immigration status
- Leave to remain
- Right to work documentation
- Certificate of sponsorship and work Visas
- Birth certificate
- Evidence of name change e.g. Marriage certificate, deed poll etc
- Recordings (video or audio)
- Photographic images*
- Vehicle Registration Number (VRN)
- Any permissions or consents relating to collecting and processing individuals' data
- Consent for who we might share individual employees' data with
- Contractual location/work base
- Mobile phone location data
- Staff remote logging data*
- Staff lone working data*
- Corporate credit card use in shops
- Trackers in vehicles
- CCTV* (including ANPR footage)
- Swipe cards and entry/exit records*
- Use of internet data*
- County Hall car park entry/exit records
Who provides this information?
We collect personal information through the application, recruitment and onboarding process, either directly from you as an applicant or from the employment agency representing you (via our neutral vendor Geometric Results International / GRI UK) or Atlantic Data who carry out DBS checks on our behalf. We also collect information from your previous employer and nominated referees about your suitability for the position you have applied for.
We will collect additional personal information during your employment or engagement with the County Council.
Who we share this information with
We may also share your information, subject to contractual and other legal safeguards, with organisations contracted by the County Council to provide a service to the council or directly to you. These service providers are known as data processors and have a legal obligation under GDPR and to the County Council to look after your personal information and only use it for providing that service.
We may have to share your data with third parties where required by law in accordance with the grounds set out above. The grounds apply to all staff except agency workers, contractors, interims etc. In the case of these workers, we share your data with the third parties marked: * "Third parties" includes third-party service providers (including contractors and designated agents).
The following third-party service providers process personal information about you for the following purposes:
- WHWB - Provider of Occupational Health Services
- IPRS - Provider of Musculoskeletal rehabilitation and mental health services
- Vivup - Norfolk Support Line employee assistance programme
- Atlantic Data - Carry out DBS check processing
- Velocity* - Technical support to the HR/Payroll system and infrastructure
- OSHENS - Workplace incident reporting system
- HMRC* (workers paid by NCC under IR35) - Tax, NI and statutory payments and deductions
- Cabinet Office - Prevention, detection and investigation of fraud. (Further information is available on the Norfolk County Council intranet)
- Department for Education / Norfolk Pensions Service / NHS - Pension schemes
- Norfolk Rewards / Kiddivouchers / Halfords / Tusker / AVC Wise - Employee benefits and salary sacrifice providers
- Skyguard* - Provider of lone working technology
- Documation / HEAT/ Cyborg - Providers of legacy HR systems
- Click Travel
- European Structural and Investment Funds (ESIF) via central government departments - ESIF funded roles only. Evidence of pay details required to receive funding for role.
- Communities Renewal Fund and Shared Prosperity Fund via central government departments. - When ESIF funding terminates. Funded roles only. Evidence of pay details required to receive funding for role.
- Atria - Provider of Automatic Number Plate Recognition (ANPR) camera system in County Hall car park.
- Norse - Provides; ID badges, swipe cards, and manages car parks.
- Oracle Corporation (Oracle) - Provider of HR and Finance System
- Newton Europe - Provide analysis of the performance of NCC's Adult Social Services department. Only affects roles within adult social care and customer services where a staff name is recorded as a worker on a Liquid Logic record. Only the name of the individual is shared with Newton Europe.
- PA Consulting - Providers of workforce planning.
All our third-party service providers and other subsidiaries or parents in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions, as identified in separate privacy notices.
We may also be required to share your personal information with other third parties, for example, in the context of a TUPE transfer or public-sector re-organisation.
We may also need to share your personal information with a regulator or government agency to otherwise comply with the law.
If you choose not to give personal information
We may need to collect personal information by law, or under the terms of a contract we have with you.
If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform the contract we have entered with you. Any data collection that is optional will be made clear at the point of collection.
Change of purpose
We will only use your personal information for the purpose we told you about, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for a reason that is not compatible, we will notify you and explain the legal basis allowing us to use the information in this way, unless we are required or permitted by law to do so.
How we use your information to make automated decisions
We only make automated decisions about you where we are required to by law, to fulfil our employer obligations under pensions auto-enrolment, where you will be automatically enrolled in the pension scheme based on your age and earnings. Enrolment is reviewed every 3 years and employees may be put back into a scheme at this stage. You may notify us if you do not wish to be a member of the pension scheme. Please refer to the People section of the intranet (myNet) for further details.
Transferring your personal information to other countries
Your personal information may be transferred outside of the UK and the European Economic Area. While some countries have adequate legal protections for personal data, in other countries steps will be necessary to ensure appropriate safeguards apply to the information. These include imposing contractual obligations to ensure that these safeguards apply.
How long will you use my information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention schedule.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with our data retention policy.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
You have the following rights (but note, these rights do not apply in all circumstances):
- Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. View guidance on how to make a subject access request and the request form. You do not have to pay a fee to access your personal information (or to exercise any of the other rights). But we may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing If your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing If your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to exercise any of the rights referred to above, please write to firstname.lastname@example.org providing details of the right you wish to exercise.
- Right to withdraw consent: In the limited circumstances where you may have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
- To withdraw your consent, please log a service request via myOracle Helpdesk. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Data Protection Officer - Questions or Complaints
We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the County Council's DPO, by letter to Norfolk County Council, County Hall, Martineau Lane, Norwich NR1 2DH marked for the attention of the Data Protection Officer or by email to email@example.com
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. The ICO's address is Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 or online at https://ico.org.uk/global/contact-us/.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
Approved by: Director for People
Date: 14 December 2023
Version number: 17