Staff Care Services Privacy Notice
Staff Care Services (SCS) is part of Cantium Business Solutions (Cantium), a company owned by Kent County Council. SCS offer Occupational Health and Support Line Services to Employers and employees of organisations, (that contract us to provide services), for example – public / private sector organisations, Schools, and Academies, amongst others as well as to Kent County Council employees. We aim to maintain the highest possible standards and seek to adopt best practice with regards to the way in which we manage and process data in the course of our business.
SCS collects, uses and is responsible for certain personal information about you. When we do we are regulated under the General Data Protection Regulation (GDPR) which applies across the European Union (including the United Kingdom). Cantium is registered as a data controller with the Information Commissioner’s Office (ICO). Depending on the service provided we are responsible as either a ‘controller’ or ‘processor’ of that personal information for the purposes of those laws. Our Data Protection Officer is iSystems.
This Privacy Notice offers both our customers (Employers who have contracted our services) and you, their employees, with meaningful and accessible guidance on our approach to handling personal data.
Who are we?
SCS offers a number of services:
- Occupational Health Services – including fitness for work assessments, workplace assessments, ill health retirement assessments, vaccinations
- Support Line Services – Counselling, Workplace Mediation, Return to Work Coaching
- An online and telephone advice service offering support and guidance on staffing matters relating to health and work to support compliance with The Equality Act.
In providing a service to your Employer, it will be necessary for SCS to gather, obtain, record and hold employee [your] personal information.
The personal information we collect and use
In the course of providing Occupational Health and Support Line services to your Employer we collect personal information about our customers’ employees. This information may be provided directly by you, as the employee or by your Employer on your behalf. This includes but is not limited to:
- Contact and identity information: such as name, address, telephone number, email address, date of birth.
- Special Categories of Data (also known as sensitive personal data): including personal characteristics (such as gender, age, ethnic group, health and disability information).
We may also obtain sensitive personal data from third parties, with your consent and in compliance with legislation and professional guidelines, with whom we liaise in providing a service to your Employer i.e. your GP, Medical specialist, or by a representative acting on your behalf e.g. appointed advocate / solicitor.
- Employment information: such as, information relating to work history, start dates, hours worked, post holdings, grade and salary information, attendance records, training records and details of your professional registration and any restrictions which may apply
- Management information: such as information related to recruitment, management, performance and employment of staff (for example disciplinary / absence / ill health / capability / performance management / grievance / management investigation records)
We may also obtain Management information from third parties with whom we liaise in providing a service to your Employer (i.e. LGPS / Teachers’ Pension Scheme / Legal Advisors), or by a representative acting on your behalf (trade union representative / solicitor).
How we use your personal information
We use your personal information to:
- Provide Occupational Health advice to you and to your Employer.
- Provide advice to your Employer regarding your health and how it may impact on your ability to work.
- Provide Support Line services to you – a confidential counselling service to you – no information is provided about your use of this service unless you have given us your consent.
- Fulfil requirements of pension schemes – e.g. Ill health retirement
- Communicate with you on behalf of your Employer where necessary throughout your employment lifecycle.
The lawful basis for which we collect and use your personal data
The lawful basis for which we collect and use your personal data are as follows:
- for the performance of a contract
- for compliance with a legal obligation or,
- legitimate interests in offering occupational health advice and/or the legitimate interests of our clients to receive occupational health advice
The lawful basis on which we collect and use special categories/sensitive personal data is as follows:
- for carrying out legal obligations or exercising specific rights in employment or social law
- for occupational health assessment
- where it is necessary for the establishment, exercise or defence of legal claims or where the courts are acting in their judicial capacity
- we use consent where it is appropriate for us to do so.
We will also comply with the Data Protection Act 2018.
How long your personal data will be kept
We will not keep your information during or after your employment for longer than is necessary, for either:
- the purpose of administering your individual staff record
- or as is necessary in providing a service to your Employer
- or as required by law
following which your personal data will be securely destroyed.
Who we share your personal information with
Personal information may be shared between SCS colleagues who legitimately need the information to carry out their duties in providing service/services to your Employer. All our staff are appropriately trained and understand their obligations with regards to the personal data they have access to.
Other than your Employer we may share your personal or sensitive personal data with the following:
- Representatives of recognised trade unions / health and safety, and professional associations identified by you to support your health and ability to work
- Pension schemes, including Local Government Pension Scheme and Teachers Pension Scheme
- Third parties engaged by SCS for the provision of identified services – i.e. to counsellors for provision of counselling services to you.
- KCC Safeguarding Team/Local Authority Designated Officer (LADO) for the purposes of safeguarding children and young people
- Law enforcement or other authorities if required by applicable law.
Providers of management information systems and platforms used by SCS may also have access to personal and sensitive personal data to enable them to provide the service for which they have been contracted. We require any providers to respect the confidentiality and security of your personal data and treat it in accordance with the law.
We may transfer your personal information outside the EU, but if we do, you can expect a similar degree of protection in respect of your personal information.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and the ICO as regulator of any suspected data security breach where we are legally required to do so.
Under the GDPR you have a number of rights which you can access free of charge. You have the right to request access to information about you that we hold (please see who to contact below). You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations
For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individuals’ rights under the General Data Protection Regulation.
We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note: your request may delay or prevent us delivering a service to you.
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance (see who to contact below). Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you would like to exercise a right, please contact firstname.lastname@example.org.
Who to contact
You can contact our Data Protection Officer, iSystems at email@example.com or by writing to Data Protection Officer, Cantium Business Solutions, Worrall House, 30 Kings Hill Avenue, West Malling, ME19 4AE
Please contact firstname.lastname@example.org to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.
The General Data Protection Regulation also gives you right to lodge a complaint with the Information Commissioner’s Office (ICO) – the UK supervisory authority. The ICO may be contacted at https://ico.org.uk/concerns or telephone 03031 231113.
We keep our Privacy Notice under regular review. This document was last reviewed February 2020.