Once a decision has been reached about your application, information held about you will not be kept on the recruitment system for any longer than 13 months after the start date of the post to which you have applied. Pseudo anonymised data is retained in our data warehouse to allow for longitudinal analysis.Processing of successful applicants’ data by HEE Local Offices, Deaneries and employing NHS OrganisationsIf your application is successful, your personal (including special categories) data will be imported into the workforce database of the HEE local office/ Deanery responsible for your training. In addition, this data will also be provided to your employing NHS organisation (e.g. NHS Trust) through the Oriel employer portal. The following principles will apply:
• Processing of personal and special category personal data – the Data Controller will store and process information about you, including where you live, work and train, on secure management information systems. Information about your qualifications, assessments and appraisals and any other information pertinent to the effective management of your training and education will be stored on a secure database. Access to this information is restricted to authorised personnel within the Data Controller and to authorised personnel involved in the management of your training, such as training programme directors, educational supervisors and other personnel working for the Data Recipients and NHS employing organisations. Your data will be treated as confidential by the Data Controller (subject to what is said below about data sharing). It will be retained only for as long as necessary to manage and quality assure your training, following which it will be securely destroyed.
• Sharing your personal data – your personal data may be shared with other organisations (referred to as Data Recipients in this policy), using secure channels to provide the best possible training and education and to ensure that we discharge responsibilities for employment and workforce planning for the NHS; this will be on a legitimate need to know basis only.
The Data Controller and the Data Recipients will process your data for the following purposes:
• Managing the provision of training programmes
• Quality assurance of training programmes
• Workforce planning
• Managing patient safety
• Compliance with legal and regulatory responsibilities, including monitoring under the Equality Act 2010
• Purposes of revalidation (where this applies)
• Employment purposes
Your personal and special category personal data will not be shared with your consent (save in the way described below). The Data Controller will not share your personal data unless satisfied of the following matters:
• The data sharing is for a legitimate purpose and is proportionate
• Where the data are used for analysis and publication by the recipient, any publication will be on an anonymous and aggregated basis and will not make it possible to identify any individual
• The data will be handled by the Data Recipients in accordance with the General Data Protection Regulation
• The Data Recipients will maintain appropriate technical and organisational controls to ensure the protection of your personal data
• The data will not be transferred outside the EEA without adequate protection
Data Recipients are bodies from the following list: the UK Health Departments, Royal Colleges and Faculties, HEE local offices and devolved nation Deaneries, regulatory and licensing bodies (including the General Medical Council, General Dental Council, General Pharmaceutical Council and Health and Care Professions Council), NHS Trusts/Boards/Social Care Trusts, Medical Schools Council, UK Medical Schools (including overseas campuses), Higher Education Institutions, Royal Pharmaceutical Society, Academy of Healthcare Science, Work Psychology Group, Pearson Vue, approved academic researchers (i.e. individuals undertaking analysis for academic, non-commercial purposes on behalf of or in partnership with the Data Controller) and future employers (including private providers of healthcare).
• Use of recruitment data for evaluation, research, pilots and testing purposes – in addition to the data sharing referred to above, we may need to share your personal data and special category personal data with HEE local offices, the devolved nation Deaneries, the Department of Health and Social Care, the GMC, the GDC or any organisation designated by Health Education England.
The Department of Health and Social Care is a Data Recipient of all recruitment data. The extracts contain details of all applications (and therefore included your personal and special category personal data and your GMC number). These extracts are held securely and confidentially with access restricted to analysts who are not directly involved in the recruitment process itself but need access to the data to perform certain tasks. The data from these extracts are used for research and statistical purposes only.
For evaluation and research, your personal and special category personal data will be shared with the GMC or GDC or Academy of Healthcare Science. These research data are not used to make decisions about individual data subjects and all reports produced as a result of the research will be anonymous such that it will not be possible to identify an individual in any such report. A key requirement of the research undertaken is to understand applicant behaviour over time, to inform workforce planning and develop and improve recruitment systems. As part of the development of recruitment systems “real” (as opposed to dummy) information must be used for testing purposes. The carrying out of research and the testing of systems will not have any impact on data subjects.Your rights under GDPR
• Right to rectification and erasure – the GDPR extends and strengthens your rights as a data subject. Under the GDPR you have the right to rectification of inaccurate personal data and the right to request the erasure of your personal data. However, the right to erasure is not an absolute right and it may be that it is necessary for the data controller to continue to process your personal data for a number of lawful and legitimate reasons.
• Right to object – you have the right, in certain circumstances, to ask the data controller to stop processing your personal data in relation to the recruitment process. However, the right to object is not an absolute right and it may be that it is necessary in certain circumstances for the data controller to continue to process your personal data for a number of lawful and legitimate reasons.
If you object to the way in which the data controller is processing your personal information or if you wish to ask the data controller to stop processing your personal data, please contact the appropriate recruitment office. However, if the data controller stops processing your personal data, this may prevent them from providing you with the best service.
• Subject Access
– you can access a copy of the information held about you by writing to HEE’s Public and Parliamentary Accountability Team (DPA@hee.nhs.uk
). This information is generally available to you free of charge subject to the receipt if appropriate identification.
• Data Portability – the GDPR sets out the right of a data subject to have their personal data ported from one controller to another on request, in certain circumstances. You should discuss any request for this with the appropriate recruitment office.If you want to complain about how your personal data has been used or to know more about how your information will be used, please contact firstname.lastname@example.org or you can contact HEE’s Data Protection Officer at GDPR@hee.nhs.uk.Alternatively, you can also contact the Information Commission if you have a complaint about the processing of your personal data:The Office of the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Your responsibilities under GDPRIt is important that you work with us to ensure that the information we hold about you is accurate and up to date. Please inform us if any of your personal data needs to be updated or corrected.All communications from Oriel will normally be by email. It is therefore essential for you to maintain an effective and secure email address or you may not receive information or other important news and information about your employment or training.Health Education England’s privacy notice is available at: https://www.hee.nhs.uk/about/privacy-notice