Privacy Notices - Employee COVID-19 individual risk assessment Privacy Notice

Introduction

You need to be aware of this Privacy Notice if you are completing an employee COVID-19 individual risk assessment.

What is a Privacy Notice?

A Privacy Notice is a statement issued by an organisation, which explains how personal and confidential data about individuals is collected, used and shared.

Who is collecting and using your personal data?

Swindon Borough Council will act as a “Data Controller” for any personal data that you provide to us. 

We will ensure that the data given to us is processed in line with our Data Protection Act 2018 (DPA 18) and the EU General Data Protection Regulations. (GDPR)

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession.

What personal data do we collect?

Personal, protected characteristic and special category data relating to your COVID-19 risk status.

How do we process your personal data?

We comply with our obligations under the GDPR. This means it keeps personal data up to date; stores and destroys it securely; does not collect or retain excessive amounts of data; protects it from loss, misuse, unauthorised access and disclosure; ensures that appropriate technical measures are in place to protect it.

Why do we need your personal information?

We may need to use some information about you to ensure that all employees are able to work safely and comfortably in an environment which best suits their needs at this time.

How the law allows us to use your information?

There are a number of legal, legitimate or lawful reasons why we need to collect and use your personal information.

  • It is necessary to perform our statutory duties
  • It is necessary to protect public health
  • Public task – in the exercise of official authority and to perform a specific task in the public interest.

For special category data, the condition of processing will be the employment condition in Article 9(2)(b) of the GDPR, along with Schedule 1 condition 1 of the Data Protection Act 2018, which applies due to the Council’s health and safety obligations as an employer.
 

Who do we share your information with?

This data will be shared with your line manager and members of the HR & OD and Recovery Planning teams.

How do we protect your information?

We will do what we can to make sure we hold records about you (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them.

Examples of our security include: 

  • encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code, or what is called a 'cypher'. The hidden information is said to then be 'encrypted'.
  • pseudonymisation, meaning that we will use a different name so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours.
  • controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
  • training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
  • regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches)
How long do we keep your personal information?

There is often a legal reason for keeping your personal information for a set period, so we try to include all of these in our corporate Retention & Disposal schedule and they are often explained within each service-related Privacy Notice.

For each service, the schedule lists how long your information may be kept for. This ranges from months for some records to decades for more sensitive records.

What you can do with your information?

You have a number of rights.

You can:

  • access and obtain a copy of your data on request (Subject Access Request)
  • require the Council to change incorrect or incomplete data
  • require the Council to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
  • object to the processing of your data where the Council is relying on its legitimate interests as the legal ground for processing

If you would like to exercise any of these rights, please contact the Council’s Data Protection Officer, Civic Offices, Euclid Street, Swindon SN1 2JH or email DataProtection@swindon.gov.uk.

 

Your right to complain

If you believe that the Council has not complied with your data protection rights, you can complain to the Information Commissioner at www.ico.org.uk.

What if you do not provide personal data?

You are obliged to provide your personal data to Swindon Borough Council to enable us to fulfil our obligations to you as an employee.

How will we ensure compliance?

A yearly audit will take place on personal data to ensure that we remain legally compliant in accordance with current data protection legislation.

Main privacy notice

You are viewing the Privacy Notice for an employee COVID-19 individual risk assessment.

Read the main Privacy Notice