Skip to Content

HR Privacy Notice

Privacy Notice – HR Department

Personal Data Statement

1 Employer Details

This is the privacy notice of the St Elizabeth’s Centre, relating to the Human Resources (HR) Department.

The Centre’s registered office is at 29 Tite Street, London, SW3 4JX.

St Elizabeth’s operates/provides the following services:   a School, Children’s Home, College, Domiciliary Care; Adult Care (with Nursing) and Health Agency.

St Elizabeth’s operates the majority of its services from its site based in Perry Green, just outside Much Hadham, Hertfordshire. It also operates a service at Windhill, Bishop’s Stortford.

2 Scope

St Elizabeth’s Centre is strongly committed to protecting personal data. This privacy notice describes why and how we collect and use personal data within the HR Department, and provides information about individuals’ rights with respect to their personal data. Within this notice, “we” refers to the HR Department, to include that held by the Centre’s Learning and Development Department.

The notice relates to personal data provided to us, both by individuals themselves, or by others.  We may use personal data provided to us for any of the purposes described in this privacy statement, or as otherwise stated at the point of collection.

We have a range of policies and procedures in place to ensure that any personal information supplied to us is held securely and treated confidentially in line with the General Data Protection Regulations (GDPR).

3 Governance

The Centre’s Data Protection Officer (DPO)/appointed data protection person is the Director of Finance. Within HR, the Director of HR and Staff Development is responsible for data protection within the HR and Learning and Development Departments.

Under the direction of the HR Director, we regularly review our “Information Asset Register”, which details what personal data we collect, why we collect it, where it is stored, who has access to it, how it is processed and who is responsible for it. If you would like to view our current Information Asset Register please contact:-

Our Promise to You

We are committed to the General Data Protect Regulation (GDPR) principles. We aim to ensure:

  • transparency with regard to the use of personal data
  • that any processing is lawful, fair, transparent and necessary for a specific purpose
  • that personal data is accurate, kept up to date and removed when no longer necessary
  • that personal data is kept and processed safely and securely, protected against accidental loss, destruction or damage.


We are committed to the principles of data protection by design and by default.

If you believe that any of your personal data is inaccurate or untrue, or if you are dissatisfied with the way the information is being stored, processed or destroyed, please inform the HR Director at the earliest opportunity.

5 Why do we collect and hold your personal information?

Personal information which is collected and processed by us is required to enable the recruitment process, or for the management of your employment or work with us.

Further information with respect to recruitment is given as appendix A.

6 What personal information we collect

We hold personal data relating to applicants for employment, employees and workers and former employees or workers.

The HR department holds personal data which is defined as data relating to a person who can be identified, directly or indirectly, by this data “identifier” – for example, name.

We also hold some sensitive personal data which is defined as including: racial or ethnic origin, health, sexual orientation or criminal records.

Data may be collected, held or processed as a “hard copy” document or on an IT system,  

We hold and process personal data for numerous purposes, for example in relation to our recruitment decisions and ongoing employment, to include learning and development, pay etc, and for health and safety / security purposes. All personal information obtained and held by HR from employees, bank or agency workers is as is necessary to ensure that the Centre provides a service, which is consistent with our purpose of providing a person-centred care service, which meets all regulatory standards and statutory requirements.

Personal information that is held includes:-

  • details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the Centre;
  • details of your bank account and national insurance number;
  • information about your marital status, next of kin and emergency contacts;
  • information about your nationality and entitlement to work in the UK;
  • information from your DBS check;
  • details of your schedule (days of work and working hours) and attendance at work;
  • details of periods of leave taken by you, including holiday, sickness absence, family leave, and the reasons for the leave;
  • details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
  • assessments of your performance, including appraisals, supervisions, training you have participated in, performance improvement plans and related correspondence;
  • information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
  • ID (identification) / security photograph which is held on the Select HR IT system, CCTV images, and also biometric data (the “finger photo” used for rostering/attendance recording on the STARS IT system).

The means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.  

7 What is the legal basis for handling personal information?

Data protection laws require that, to process your personal data, we must meet at least one prescribed basis for it. We rely on one of the following basis for the activities we carry out.

  1. Consent - to obtain, hold or process some personal information we may ask for your consent first. Consent in these circumstances must be freely given, informed and may be withdrawn.

However, the majority of the personal data we collect and hold is not subject to consent. The legal basis for collecting, holding and processing this specific data is:-

  1. For the performance of a contract with you, or to take steps to enter into a contract;-

  2. To enable us to meet our statutory or legal obligations, to include auditing and regulatory purposes;

  3. For employer’s legitimate Interests - in the United Kingdom, organisations can use personal information where the benefits of doing so are not outweighed by the interests or fundamental rights or freedoms of individuals. The law calls this the “Legitimate Interests” basis for processing.

For example, we may rely on legitimate interests for processing personal data for:-

  • Helping to prevent and detect crime, to include safeguarding matters;
  • Protecting individual’s vital interests – for example, protecting the children and vulnerable adults in our care by carrying out regular checks on employees/workers through the Disclosure and Barring Service;
  • Complying with legal and regulatory requirements;
  • Reporting and analytical purposes;
  • Maintaining our records, and other administrative purposes.


8 How we collect and use information

The bulk of the personal information held by St Elizabeth’s is collected directly from each employee, worker or applicant for employment. However, an agency worker’s personal information may be provided to the Centre by the worker’s agency. Similarly, as part of an introduction process for employment made by an agency, personal information may be provided to us by the agency. Agencies that provide data to the Centre for employment/introduction purposes are responsible for ensuring that permissions have been obtained from the agency worker/applicant for employment. We may also process information about you that is provided to us by a third party (such as our Occupational Health service), and/or hold information about you provided to us from within the Centre, for example your line manager.

Where you supply another person’s personal data to us, for example emergency contact details / next of kin details, you must ensure that you have their consent and that you keep this information up to date.

Information is provided to us in hard copy/paper copy eg documents needed for the pre-employment checking processes, or electronically eg via the Centre’s recruitment applicant tracker system (ATS).

For the safety and security of our service users, employees and visitors, the Centre operates CCTV monitoring/recording. CCTV is used responsibly with proper safeguards in place. Its use at the Centre is informed by the Information Commissioner’s Office Data Protection guidance “In the Picture: a data protection code of practice for surveillance cameras and personal information”. For further information please see the Centre’s “Statement on the Use of CCTV” which is available on the intranet.

Within the recruitment process, we may use automated decision making. Applicants for employment will be expressly advised when this is part of the selection process.

All personal information obtained to meet our regulatory requirements will always be treated in line with our data protection and confidentiality policies.

9 How we store your personal information and keep it safe

The Centre has a range of policies that enable us to comply with all data protection requirements.

We store personal information securely within the HR Department, for example in hard copy within HR files which are kept securely in locked filing cabinets. It is also held on secure IT systems such as Select HR (the HR IT record system), St Elizabeth’s Time and Rostering System (STARS) and some personal data is provided to the St Elizabeth’s payroll department, and held and processed on ERNIE (the payroll system). Personal information (eg emails, spreadsheets, letters) may also be held on the St Elizabeth’s IT system (local servers). Where personal information is stored on an externally hosted or managed IT system on behalf of the Centre, the provider is expressly required to confirm compliance with GDPR. No personal data is held outside the EEU.

10 With whom we might share information outside St Elizabeth’s Centre

We will only disclose information about you to third parties:-

  • where we need to comply with our contractual duties to you. For instance we may need to pass on certain information to our external payroll provider or pension provider, or to obtain pre employment references, obtain employment background checks, or obtain necessary criminal records checks from the Disclosure and Barring Service;

  • if we are legally obliged to do so, for example to public bodies, law enforcement or regulators with authority to obtain disclosure of personal data.

Please note, we are not required to seek your consent to release your personal data in these situations.

Where we provide information for statistical purposes, for example for the National Minimum Data Set, the information is aggregated and provided anonymously so that there is no privacy risk involved in its use.

11 How you can access your own personal information held by St Elizabeth’s HR department

There are procedures in place to enable any employee, bank or agency worker whose personal information we possess to have access to that information on request. The right to access includes both the information and any uses which we might have made of the information.

In the interests of openness and fairness, the Centre allows all employees and bank workers to access the information held about them on Select HR at any time using the self service facility. Personal data is also held on STARS and is available via the self service function.

Additionally, employees and workers have the right to access personal data held about them on other IT systems, or in hard copy form, at reasonable intervals. This is known as a “data subject access request”. As a general rule, a copy of the requested information will be provided free of charge, although the Centre reserves the right to charge a reasonable fee when providing the data will incur disproportionate administrative cost, or where a request is manifestly unfounded or excessive, particularly if it is repetitive. If this proves necessary, the person concerned will be informed of their right to contest our decision with the supervisory authority (the Information Commissioner's Office (ICO)).

If you wish to request access to your personal data from us please email

In the event of a disagreement regarding personal data, the matter should be taken up under the Centre’s grievance procedure. This does not prevent you from exercising your right under the GDPR to complain to the supervisory authority (the Information Commissioner's Office (ICO)).

12 How long we keep information

There are protocols in place that determine how long St Elizabeth’s will keep information held or managed by HR which are in line with the relevant legislation and regulations. A copy of the record retention protocol is available on the intranet.

13 Right to be forgotten

The Centre recognises the right to erasure, also known as the right to be forgotten, as laid down in the GDPR. Individuals should contact the HR department with any requests for the deletion or removal of personal data. Please email:

Requests will be acted on provided there is no compelling reason for continued retention/processing and that the exemptions set out in the GDPR do not apply. These exemptions include where the personal data is processed for the exercise or defence of legal claims and to comply with a legal obligation for the performance of a public interest task or exercise of official authority.

14 Data Security/Data Loss

We have put in place data security measures that are appropriate to the risk involved in processing the data we hold.

If a data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, the people affected will be informed as soon as possible, and the Information Commissioner’s Office (ICO) will be notified within 72 hours.

15 How we keep our privacy policies up to date

We will assess privacy risks continuously as part of our day to day activities. We will also carry out a wider review of policy and practice at regular and appropriate intervals.

16  Changes to this privacy statement

We recognise that collecting, holding, processing and destroying personal information within HR is an ongoing responsibility and will therefore keep this privacy statement under regular review.

If you have any feedback on this privacy statement to help us improve it please contact the HR Director.

This privacy statement was last updated on:- 1 May 2018.


See also:

  • Data Protection Policy

  • HR – data retention protocol

  • Statement on the Use of CCTV

Appendix A – further information regarding recruitment

As part of our recruitment process we need to collect and use personal information to include CV, application form, references, records of qualifications/skills/training along with verification documents and those needed to carry out checks with the Disclosure and Barring (DBS) service.

These enable us to:-

  • Assess your suitability to work for St Elizabeth’s Centre;

  • Conduct screening, assessments and interviews;

  • Make offers, and provide contracts of employment/worker contracts;

  • Carry out pre-employment checks, such as DBS and medical assessment.

Some information is held and managed on line using our Applicant Tracker System (ATS). Some is held and managed as hard copies.

Unsuccessful applications will be destroyed/removed from IT system after 12 months from the date the application was received/the outcome was notified to the applicant/post was filled (whichever is the later).