Recruitment and employees
Your Personal Data is data which by itself or with other data available to HCA International Limited (HCA UK) can be used to identify you as an individual. Under data protection law, individuals have a right to be informed about how organisations use any personal data that they hold about them. We comply with this right by providing ‘Privacy Notices’ (sometimes called ‘fair processing notices’) to individuals where we are processing their personal data.
This Privacy Notice sets out how HCA will use your personal data. HCA UK is the Data Controller for the information that it collects and processes about you, and you are the 'data subject'. Our Data Protection Officer can be contacted at 2 Cavendish Square, London W1G 0PU or at DPO@hcahealthcare.co.uk if you have any questions.
What personal information do we collect from you and how do we use it?
Who do we share your personal information with?
How long do we keep your personal data?
Data Subject’s Rights
Due to the current circumstances, if you submit a Subject Access Request (SAR) or other Data Subjects Rights request, please be aware that you may experience a delay in us responding to your request. This is because we are currently diverting resources to help with the response to the COVID-19 pandemic and ensuring the ongoing healthcare and treatment of our patients.
At this current time we are unable to collect any correspondence sent via post. If you need to get in touch regarding a SAR or other information request, please contact us via email at DPO@HCAHealthcare.co.uk
What personal data we collect and use?
Whether or not you become an employee, we will use your personal data for the reasons set out below and if you become an employee we will continue to use it to manage the recruitment and on boarding process and your employment with us. We will collect most of this directly during the application journey but there may be sources of personal data collected indirectly, as set out later in this Policy.
The personal data we use may include:
- your name, address and contact details, including email address and home and mobile telephone numbers, date of birth and gender;
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief*;
- the terms and conditions of your employment;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation; and
- information about your remuneration, including entitlement to benefits such as pensions or insurance cover;
- information about your COVID-19 vaccination status.
*This information is not available to Hiring Managers during the recruitment process
If you are employed by HCA UK:
- details of your bank account and national insurance number;
- information about your marital status, next of kin, dependants and emergency contacts;
- information about your nationality and entitlement to work in the UK;
- details of your schedule (days of work and working hours) and attendance at work;
- details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
- assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
- information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
- information about any criminal record; and
- information about you or anyone in your household’s COVID -19 status, your vaccination status and any COVID-19 symptoms.
HCA UK may collect this information in a variety of ways. For example, data might be collected through application and other forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from on boarding forms, online HR systems completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments. During the COVID -19 pandemic information may also be collected from Lab tests and thermal scanning procedures.
In some cases, the organisation may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.
We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, we expect you to provide your personal data so we can process your application and manage your employment with us.
Monitoring of communications
Subject to applicable laws, we may monitor and record calls, emails, text messages, social media messages and other communications in relation to our dealings with you. We will do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications systems and procedures, to check for unlawful content, obscene or profane content, for quality control and staff training, and when we need to see a record of what has been said. We may also monitor activities on your network and systems’ accounts where necessary for these reasons and this is for our legitimate interests or other legal obligations.
Situational Judgement Tests (SJTs)
HCA use Situational Judgement Tests (SJTs) as part of our recruitment process. This is a psychological tool used to evaluate your behavioural and cognitive abilities when presented with hypothetical work-related situations. The tests are designed to measure your fit with our company and role based on cognitive abilities, personality traits and social skills. This helps us to make sure we hire suitable employees and recognizes that we need to consider temperament and interpersonal skills as well as qualifications. We use Situational Judgment Tests to give us an idea of your ingenuity, sociability, integrity and other crucial traits.
How we use your personal data and the legal basis for processing
We will process your personal data:
- To decide whether to employ you;
- As necessary to support the employment contract with you and to pay you for your services;
- To manage your benefits and pension arrangements;
- To take steps at your request during the course of your employment;
- To keep your records up to date;
- As necessary for our own legitimate interests or those of other persons and organisations, e.g. for good governance, accounting, and managing and auditing our business operations;
- To monitor emails, calls, other communications, and activities on HCA networks and systems; For market research, analysis and developing statistics; and
- As necessary to comply with a legal obligation, e.g.: When you exercise your rights under data protection law and make requests;
- For compliance with legal and regulatory requirements and related disclosures;
- For compliance with the Health and Social Care Act and in considering how staff will be deployed.
- For establishment and defence of legal rights;
- For activities relating to the prevention, detection and investigation of crime;
- To verify your identity and make credit fraud prevention and anti-money laundering checks; and
- To monitor your emails, calls, other communications, and activities on your HCA and related providers networks.
- Based on your consent, e.g.:
If you ask us to disclose your personal data to other people or organisations such as a company handling a claim on your behalf or an application for a mortgage; or otherwise agree to disclosures;
When we process any special categories of personal data about you at your request (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation).
You are free at any time to change your mind and withdraw your consent where we are relying on your consent to process your personal data. The consequence might be that we cannot continue to assist you with these activities.
Our lawful basis for using your data
We only collect and use personal information about you when the law allows us to. Most commonly we use it where we need to:
- Fulfil a contract we have entered into with you;
- Comply with a legal obligation. This will include any changes in the law in response to the pandemic;
- Carry out a task in the public interest e.g. providing information to the NHS to support management of colleagues and patients with or at risk of COVID-19;
- Protect your (or someone else’s vital interests (e.g. the processing is necessary to protect someone’s life).
We may also use personal information about you where:
You have given us consent to use it in a certain way;
We have legitimate interests in processing the data – for example, where you have applied for another position and references are required as part of the recruitment process.
If we are processing special category data e.g. health related data we may do this for purposes relating to:
- Employment, social security and social protection;
- Provision of health or social care to you or others;
- Public health such as protecting against serious cross border threats to health such as the COVID-19 Pandemic.
- Some of the reasons listed above for collecting and using personal information about you overlap, and there may be several grounds which justify HCA’s use of your data.
Who do we share your personal information with?
Subject to applicable data protection laws we may share your personal data with:
- Internally, your Line Managers, HR Personnel, Occupational Health;
The HCA group of companies and associated companies including entities in the United States;
- Sub-contractors and other persons who help us to provide products and services as part of your benefits package;
- Companies and other persons providing services to you as part of your employment including external testing laboratories;
- Our legal and other professional advisors, including our auditors;
- Fraud prevention agencies, credit reference agencies, and debt collection agencies;
- Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities) and with regulators e.g. the Financial Conduct Authority, the Information Commissioner's Office;
- Courts, to comply with legal requirements, and for the administration of justice;
- In an emergency or to otherwise protect your vital interests;
- To protect the security or integrity of our business operations;
- When we restructure or sell our business or its assets or have a merger or re-organisation;
- Payment systems and payroll providers; and;
- Anyone else where we have your consent or as required by law.
COVID–19 Data Protection Statement
During these unprecedented times, HCA Healthcare’s main priority is the health and safety of our patients, colleagues and the wider community as well as supporting the NHS in responding to the COVID-19 pandemic. We are supporting the NHS in responding to the COVID-19 pandemic and this will remain our focus at this time.
As a result of these unique circumstances, HCA may need to share personal data with the NHS and other regulatory and government bodies (e.g. Care Quality Commission (CQC) for the purpose of supporting the response to the COVID-19 pandemic. This will be done in accordance with data protection laws and will include any amendments to legislation made by the Secretary of State. We will also consider any relevant guidance provided by the Information Commissioner’s Office.
Sharing of your Personal Data during the COVID-19 pandemic
During the COVID-19 pandemic your personal data may also be shared for the following purposes:
Understanding COVID-19 trends and risks to public health and controlling and preventing the spread of COVID -19;
- Identifying and understanding information about colleagues, patients or potential patients with or at risk of COVID -19 including patient exposure to COVID-19;
- Management of colleagues and patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such colleagues and patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19;
- Understanding capacity and availability information about patient access to health services and adult social care services;
- Monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information (including workforce details) to the public about
- COVID-19;
- Delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19; and
- Research and planning in relation to COVID-19.
We will regularly review this privacy statement and its applicability throughout the COVID-19 outbreak. We may also notify you in other ways from time to time about the processing of your personal information.
Your rights under applicable data protection law
Your rights, under the data protection laws, are as follows (noting that these rights do not apply in all circumstances):
- The right to be informed about processing of your personal data;
- The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;
- The right to object to processing of your personal data;
- The right to restrict processing of your personal data;
- The right to have your personal data erased (the "right to be forgotten”);
- The right to request access to your personal data and information about how we process it;
- The right to move, copy or transfer your personal data ("data portability") ; and
- Rights in relation to automated decision-making including profiling
You may exercise these rights by contacting us on exercisingmydatarights@hcahealthcare.co.uk
You have the right to complain to the Information Commissioner's Office (ICO). It has enforcement powers and can investigate compliance with data protection law. Contact the ICO on www.ico.org.uk.
Criteria used to determine retention periods
The following criteria are used to determine data retention periods for your personal data:
- Retention in case of queries. We will retain your personal data as long as necessary to deal with any queries you may have (e.g. if your application is unsuccessful);
- Retention in case of claims. We will retain your personal data for as long as you may legally bring claims against us; and
- Retention in accordance with legal and regulatory requirements. We will retain your personal data after you have left the organisation based on our legal and regulatory requirements.
International transfers
Your personal data may be transferred outside the UK and the European Economic Area. While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to it. These include imposing contractual obligations of adequacy or requiring the recipient to subscribe or be certified with an 'international framework' of protection.
How to contact us
For more details on all the above you can contact our DPO at DPO@hcahealthcare.co.uk and the HCA Privacy Notices