Care Connect collects and processes personal data relating to its temporary workers to manage the employment relationship. Care Connect is committed to being transparent about how it collects and uses that data to meet its data protection obligations. This privacy notice explains:
- the categories of personal data the collected;
- how we collect your personal data;
- the lawful processing conditions for personal data;
- who has access to your data;
- how is your data protected;
- how long is data kept;
- your rights;
- what happens if you don’t provide your data;
- automated decisions;
- data security breaches; and
- data held.
Categories of personal data
Care Connect collects and processes a range of information about you. This includes:
- contact details;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers;
- the terms and conditions of your employment including information about your remuneration, including entitlement to any benefits;
- details of your bank account, tax identity and social security number;
- information about your nationality and entitlement to work in Jersey,
- details of any disciplinary, grievance or capability procedures in which you have been involved, including any warnings issued to you and related correspondence;
- details of any criminal records, convictions or charges;
- assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence; and
- information about medical or health conditions, including whether or not you have a disability for which the company would need to consider if they were able to make reasonable adjustments under discrimination law.
How Care Connect collects your personal data
Care Connect collects this information in a variety of ways. Data is collected through application forms, CVs; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment; from correspondence with you; or through interviews, meetings, or other assessments and/or investigations when utilising Care Connects policies and procedures.
In some cases, Care Connect may collects personal data about you from third parties, such as: recruitment or government agencies; references supplied by former employers; information from employment background check providers; and information from criminal records checks permitted by law. Data is stored in a range of different places, including your personnel file, Care Connects IT systems.
Lawful Processing Conditions
Where Care Connect holds and processes personal data (including special category data) it will do so normally for the following lawful basis:
- Contract: the processing is necessary for a contract Care Connect has with you, or because you have asked Care Connect to take specific steps before entering into a contract;
- Legal obligation: the processing is necessary for Care Connect to comply with a law (not including contractual obligations); and/or
- Legitimate interests: the processing is necessary for the Care Connects legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests.
Care Connect may also use personal information with:
- Consent: you have given clear consent for the Care Connect to process your personal data for a specific purpose and have given explicit consent for the processing of special category data, where required.
Finally, Care Connect may also use personal information in the following situations, which are likely to be rare:
- Public Interest: the processing is necessary for Care Connect to perform a task in the public interest or for the Care Connect official functions, and the task or function has a clear basis in law.
- Vital interests: the processing is necessary to protect your life.
Care Connect needs to process data to enter into an employment contract with you and to meet its obligations under your employment contract. For example:
- it needs to process your data to provide you with an employment contract;
- to pay you in accordance with your employment contract;
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
- to operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that agency workers are receiving the pay or other benefits to which they are entitled.
In some cases, Care Connect needs to process data to ensure that it is complying with its legal obligations. For example:
- to check your entitlement to work in Jersey;
- to deduct tax and social security;
- to comply with health and safety laws;
- to enable you to take periods of leave to which you are entitled;
- respond to or defend itself against legal claims
In other cases, Care Connect has a legitimate interest in processing personal data before, during and after the end of the employment relationship. Where Care Connect relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by your rights and freedoms and has concluded that they are not. Processing your data allows Care Connect to:
- run recruitment and promotion processes;
- operate and keep a record of disciplinary, grievance and capability processes, to ensure acceptable conduct within the workplace;
- operate and keep a record of performance and related processes;
- ensure effective general HR and business administration;
- provide references on request;
In limited circumstances, Care Connect may process your data (including special category data) with your consent. However, in some instances, even special category data may fall under a legal processing reason. For example:
- it may be necessary to carry out criminal records checks to ensure that you are permitted to undertake a role in question, or to work for certain clients, in these circumstances Care Connect will require your consent;
- information about health or medical conditions is processed to carry out employment law obligations (such as those in relation to agency workers with disabilities and for health and safety purposes). However, where Care Connect requires further information such as medical or health history, it will seek your express consent;
- information about ethnic origin, sexual orientation, or religion or belief, this is done for the purposes of equal opportunities monitoring and is lawful by virtue of paragraph 18 of Schedule 2 of the Data Protection (Jersey) Law, 2018.
Who has access to your data?
Your information will be shared internally with the Directors of Care Connect.
Care Connect may share your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks via the Jersey Vetting Bureau and the Disclosure and Barring Service.
Care Connect may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances, the data will be subject to confidentiality arrangements.
Care Connect will not transfer your data to countries outside the European Economic Area or that are not deemed adequate under the Data Protection (Jersey) Law, 2018.
How does Care Connect protect your data?
Care Connect takes the security of your data seriously. Care Connect has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its Managers in the performance of their duties. Full details of security measures can be found in Care Connect data protection policy which is on the Intranet.
Access to personal information is limited to those Managers and/or Directors of the business who have a need to know. Where Care Connect engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Care Connect expects staff members handling personal data to take steps to safeguard personal data of staff members, patients, or any other individual in line with this Privacy Notice and the organisational Data Protection Policy.
For how long does Care Connect keep data?
Care Connect will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment can be found in Care Connect Data Retention Policy on the Intranet.
Your rights and obligations
Care Connect will conduct regular reviews of the information held by it to ensure the relevancy of the information it holds. You are under a duty to inform Care Connect of any changes to your current circumstances.
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request;
- require Care Connect to change incorrect or incomplete data;
- require Care Connect to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
- object to the processing of your data where Care Connect is relying on its legitimate interests as the legal ground for processing; and
- ask Care Connect to stop processing data for a period if the data is inaccurate or there is a dispute about whether or not your interests override Care Connect legitimate grounds for processing data.
If you would like to exercise any of these rights, please use the appropriate forms that can be collected from the Operations Manager. If you believe that Care Connect has not complied with your data protection rights, you can complain to the Information Commissioner.
You also have obligations to Care Connect, particularly if you are tasked with regularly handling personal data of patients, colleagues, or third parties and therefore you also have responsibility for ensuring that processing meets the standards set out in this Privacy Notice and Care Connect Data Protection Policy. You should observe, as a minimum, the following rules:
- you must observe to the letter any instruction or guidelines issued by Care Connect in relation to data protection;
- you should not disclose personal data about Care Connect, colleagues, patients, or third parties unless that disclosure is fair and lawful, and in line with the organisational policies;
- you must take confidentiality and security seriously, whether you consider the information to be sensitive or not;
- any personal data collected or recorded manually which is to be inputted into an electronic system should be inputted accurately and without delay or the recorded data should be filed appropriately;
- you must not make any oral or written reference to personal data held by Care Connect about any individual except to other employees of Care Connect who need the information for their work or who are authorised recipients, or in the case of patients, other healthcare professionals who have a clinical requirement for the data;
- great care should be taken to establish the identity of any person asking for personal information and to make sure that the person is entitled to receive the information;
- if you are asked by an unauthorised individual to provide details of personal information held by Care Connect, you should ask the individual to put their request in writing and send it to the Operations Manager but inform the Operations Manager immediately. If the request is in writing, you should pass it immediately to the Operations Manager;
- you must not use personal information for any purpose other than your work for Care Connect if you are in doubt about any matter to do with data protection you must refer the matter to the Operations Manager immediately;
- passwords should not be disclosed and should be changed regularly;
- if you ‘push’ emails or any contact details from Care Connect IT systems to your own personal mobile phone or home computer or if you access Care Connect IT systems from home or via the iPad, you must ensure that all data is kept securely, with passwords or passcodes enabled upon the device, which should also be locked when not in use. Should you lose any device this should be reported to the Operations Manager immediately. Should you have to replace the device, you must ensure that all data (including but not limited to any emails/contact details) gained through working at Care Connect is hard-deleted from the device after you have finished working;
- your own or third-party personal data should not be left unsecured or unattended, e.g. on public transport;
- particular diligence must be exercised when patient data is being used outside of the office, for instance when in a patient’s home. All data must be kept securely, and if left in a vehicle, must be out of sight and the vehicle must remain locked at all times;
- emails containing employee or third-party personal data must not be sent from a web-based email system;
- as far as possible, employee or third-party personal data contained in emails and attachments should be annonymised before it is sent by email or password protected; and
- documents containing sensitive information must be password protected and, if the document is required to be transmitted, the document and password should be transmitted separately.
Any breach of the above rules will be taken seriously and, depending on the severity of the matter, may constitute gross misconduct which could lead to summary termination of employment.
What if you do not provide personal data?
Care Connect does not require consent from you to process most types of personal data. In addition, Care Connect does not usually need consent to processspecial category personal data in order to carry out legal obligations or exercise specific rights in the field of employment law. If you fail to provide certain information when requested, Care Connect may not be able to perform the contract entered into with you (such as paying you or providing a benefit Care Connect may also be prevented from complying with legal obligations (such as to ensure the health and safety of its staff, follow due process for employment law purposes or abide with any discrimination legislation such as disability regulations).
You have some obligations under your employment contract to provide Care Connect with data. In particular, you are required to report absences from work (including the reason or the absence) and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide Care Connect with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in Jersey and payment details, have to be provided to enable Care Connect to enter a contract of employment with you. If you do not provide this or other information, it will hinder the organisations ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
Where you have provided consent to the collection, processing and transfer of personal information for a specific purpose, you have the right to withdraw consent for that specific processing at any time. Once Care Connect has received notification of withdrawal of consent it will no longer process that information for the purpose or purposes originally agreed to unless it has another legitimate basis for doing so in law.
Data security breaches
Care Connect has put in place procedures to deal with any data security breach and will notify you and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are available upon request. In certain circumstances, the Company will be required to notify regulators of a data security breach within 72 hours of the breach. Therefore, if you become aware of a data security breach it is imperative that you report it to the Operations Manager immediately.