Data Protection Policy

 

Company Name:
Globe Locums Limited T/A Globe Workforce Solutions (‘the Company’)

Document DP3:
Data Protection Policy

Topic:
Data Protection

Date:
27.5.2022

Version:
GL006GWS.A1.V1 WEBSITE

Introduction

We process personal data and therefore are required to comply with data protection legislation.  This includes in particular the Data Protection Act 2018 and the UK General Data Protection Regulation (together the ‘Data Protection Laws’).  The Data Protection Laws give individuals (known as ‘data subjects’) certain rights over their personal data whilst imposing certain obligations on the organisations that process their data.

 As an NHS Workforce Alliance Framework approved provider of insourced services to support the provision of healthcare, including clinical insourcing, we collect and process both personal data and sensitive personal data so we can provide these services. We are required to comply with other legislation and it is also required to keep this data for different periods depending on the nature of data.  

This Data Protection Policy sets out how we implement the Data Protection Laws.

Data processing under the Data Protection Laws

To fulfil insourcing solutions we process personal data in relation to our own staff, work-seekers and individual client contacts and we are a data controller for the purposes of the Data Protection Laws. We have registered with the ICO and our registration number is ZA141933.

We may hold personal data on individuals for the following purposes:

  • Staff administration

  • Advertising, marketing and public relations

  • Accounts and records

  • Administration and processing of work-seekers’ personal data for the purposes of providing work-finding services, including processing using software solution providers and back office support

  • Administration and processing of clients’ personal data for the purposes of supplying/introducing work-seekers.

Data protection principles 

The Data Protection Laws require us acting as either data controller or data processor to process data in accordance with the principles of data protection. These require that personal data is:

  1. Processed lawfully, fairly and in a transparent manner

  2. Collected for specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes

  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

  4. Accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

  5. Kept for no longer than is necessary for the purposes for which the personal data are processed;

  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

  7. The data controller shall be responsible for, and be able to demonstrate, compliance with the principles.

 

Legal bases for processing

We will only process personal data where we have a legal basis for doing so. The processing conditions are: 

  1. Consent of the individual for one or more specific purposes

  2. Processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual to enter into a contract

  3. Processing is necessary for compliance with a legal obligation that the controller is subject to

  4. Processing is necessary to protect the vital interests of the individual or another person

  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller

  6. Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the individual which require protection of personal data, in particular where the individual is a child.

Where we do not have a legal reason for processing personal data any processing will be a breach of the Data Protection Laws.

Our Data Protection Team review the personal data we hold on a regular basis to ensure it is being lawfully processed and it is accurate, relevant and up to date.

Before transferring personal data to any third party (such as past, current or prospective employers, suppliers, customers and clients, intermediaries such as umbrella companies, persons making an enquiry or complaint and any other third party (such as software solutions providers, back office support, outsourced administrative service providers)), we will establish that we have a legal reason for making the transfer.

Privacy by design and by default

We have implemented measures and procedures that adequately protect the privacy of individuals and ensure that data protection is integral to all processing activities. This includes implementing measures such as, data minimisation i.e. not keeping data for longer than is necessary, pseudonymisation, anonymization, cyber security and staff training.

Data Subject Rights

We shall provide any information relating to data processing to an individual in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. We may provide this information orally if requested to do so by the individual.

1.     Right to be informed

Where we collect personal data from you, we will give you a privacy notice at the time when we first obtain the personal data.

Where we collect personal data other than from you directly, we will give you a privacy notice within a reasonable period after obtaining the personal data, but at the latest within one month.  If we intend to disclose the personal data to a third party then the privacy notice will be issued when the personal data is first disclosed (if not issued sooner).

Where we intend to further process the personal data for a purpose other than that for which the data was initially collected, we will give you information on that other purpose and any relevant further information before we do further processing.

2.     Right of access

You are entitled to access your personal data on request from the data controller, to check your data is being processed lawfully.

3.      Right to rectification

You or another data controller at your request, has the right to ask us to rectify and correct any inaccurate or incomplete personal data concerning your data.

4.      Right to erasure

You or another data controller at your request, has the right to ask us to erase your personal data.

If we receive a request to erase your data, we will ask if you want your personal data to be removed entirely or whether you are happy for your details to be kept on a list of individuals who do not want to be contacted in the future, for a specified period, reason or otherwise. 

We cannot keep a record of individuals whose data we have erased so there is a chance that you may be contacted again by the Company should we come into possession of your personal data at a later date.

If we have made your data public, we shall take reasonable steps to inform other data controllers and data processors processing your personal data to erase it, taking into account available technology and the cost of implementation. 

5.     Right to restrict processing

You or a data controller at your request, have the right to ask us to restrict our processing of your personal data where:

  • You challenge the accuracy of the personal data

  • The processing is unlawful and you oppose its erasure

  • We no longer need the personal data for the purposes of the processing, but your personal data is required for the establishment, exercise or defence of legal claims

  • You have objected to processing (on the grounds of a public interest or legitimate interest) pending the verification whether our legitimate grounds override those of the individual.

 

6.     Right to data portability

You shall have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller in circumstances where:

  • The processing is based on your consent or a contract; and

  • The processing is carried out by automated means.

Where feasible, we will send the personal data to a named third party on your request.

7.        Right to object to processing

You have the right to object to your personal data being processed based on a public interest or a legitimate interest. You will also be able to object to the profiling of your data based on a public interest or a legitimate interest.

We shall cease processing unless we have compelling legitimate grounds to continue to process your personal data which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

You have the right to object to your personal data for direct marketing. To request to opt out from direct marketing please email dataprotection@globeworkforcesolutions.co.uk.

8.        Enforcement of rights

All requests regarding your rights should be sent to the Data Protection Team dataprotection@globeworkforcesolutions.co.uk.

Where you have consented to us processing your personal data and sensitive personal data you have the right to withdraw that consent at any time. Please note that if you withdraw your consent to further processing, that does not affect any processing done prior to the withdrawal of that consent, or which is done according to another legal basis.

There may be circumstances where we will still need to process your data for legal or official reasons. Where this is the case, we will tell you and we will restrict the data to only what is necessary for those specific reasons.

 

We shall act upon any subject access request, or any request relating to rectification, erasure, restriction, data portability or objection or automated decision making processes or profiling within one month of receipt of the request. We may extend this period for two further months where necessary, taking into account the complexity and the number of requests.

Where we consider that a request under this section is manifestly unfounded or excessive due to the request’s repetitive nature we may either refuse to act on the request or may charge a reasonable fee taking into account the administrative costs involved.

If we have given your personal data to any third parties we will tell those third parties that we have received a request to rectify, erase, restrict, for portability, objection, automation or profiling, your personal data as applicable, unless this proves impossible or involves disproportionate effort. Those third parties notified should also action accordingly regards the personal data they hold, however we will not be in a position to audit those third parties to ensure that the relevant actions have occurred.

9.            Automated decision making

We will not subject you to decisions based on automated processing that produce a legal effect or a similarly significant effect on you, except where the automated decision:

  • Is necessary for the entering into or performance of a contract between the data controller and the individual

  • Is authorised by law

  • You have given your explicit consent.

We will not carry out any automated decision-making or profiling using the personal data of a child.

Personal Data Breaches

 All data breaches should be referred to the Data Protection Team, dataprotection@globeworkforcesolutions.co.uk.

1.        Personal data breaches where the Company is the data controller

Where we establish that a personal data breach has taken place, we will take steps to contain and recover the breach. Where a personal data breach is likely to result in a risk to the rights and freedoms of any individual we will notify the ICO.

Where the personal data breach happens outside the UK, we shall alert the relevant supervisory authority for data breaches in the effected jurisdiction.

2.        Personal data breaches where the Company is the data processor

We will alert the relevant data controller as to the personal data breach as soon as they are aware of the breach.

3.        Communicating personal data breaches to individuals

Where we have identified a personal data breach resulting in a high risk to the rights and freedoms of any individual, we shall tell all affected individuals without undue delay.

We will not be required to tell individuals about the personal data breach where:

  • We have implemented appropriate technical and organisational protection measures to the personal data affected by the breach, in particular to make the personal data unintelligible to any person who is not authorised to access it, such as encryption.

  • We have taken subsequent measures which ensure that the high risk to the rights and freedoms of the individual is no longer likely to materialise.

  • It would involve disproportionate effort to tell all affected individuals. Instead, we shall make a public communication or similar measure to tell all affected individuals.

 The Human Rights Act 1998

All individuals have the following rights under the Human Rights Act 1998 (HRA) and in dealing with personal data these should be respected at all times:

  • Right to respect for private and family life (Article 8)

  • Freedom of thought, belief and religion (Article 9)

  • Freedom of expression (Article 10)

  • Freedom of assembly and association (Article 11)

  • Protection from discrimination in respect of rights and freedoms under the HRA (Article 14)

Complaints

If you have a complaint or suggestion about our handling of personal data then please contact the Data Protection Team at dataprotection@globeworkforcesolutions.co.uk.

The Data Protection Team are responsible for:

  • Adding, amending or deleting personal data

  • Responding to subject access requests, requests for rectification, erasure, restriction data portability, objection and automated decision making processes and profiling

  • Reporting data breaches, dealing with complaints

You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/ or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.