When you submit your application, the following privacy notice applies:
Your data is being collected by Velindre Cancer Centre, whose privacy notice can be found here.
The data controller for this information is Velindre University NHS Trust. This application tracking system is provided by Civica UK Ltd (https://www.civica.com/en-gb/product-pages/trac/) as a data processor.
To make an enquiry, a request for your personal information held as part of this process, or to arrange for any mistakes to be corrected, you may contact either the team who are handling your application or the Data Protection Officer ([email protected]).
 NHS Wales Shared Services Partnership (NWSSP)
Recruitment Services Privacy Notice
  
-  Introduction
 
NHS Wales is made up of several health organisations that include the NHS Wales Shared Services Partnership (NWSSP). They provide many services on an All Wales basis. This includes Recruitment.
If you have any questions regarding this information you must contact the Recruitment Services Department on 02921 500200 or email
South East Wales –  [email protected]
South West Wales – [email protected]
North Wales – [email protected]
This leaflet has been issued by the Information Governance function within NWSSP to assist and facilitate the Recruitment process within NHS Wales.
 
-  Your rights
 This leaflet covers your rights under a new law called the General Data Protection Regulation (GDPR). It emphasises the NWSSP’s need to make sure that we explain how we use your information during the recruitment process.
The information we give you about our use of your information will be:
- Brief, easy to read and easily accessible;
- Written in clear, plain language; and
- Free of charge.
 
-  What laws do we use?
 
The law determines how we can use your information. The laws we follow that allow us to use your information are listed below:
 
- General Data Protection Regulation
- UK Data Protection Bill
- Human Rights Act
- Freedom of Information Act
- Common Law Duty of Confidence - Confidentiality
- Computer Misuse Act
- Audit Commission Act
- Regulation of Investigatory Powers Act
- Health and Safety at Work Act 1974
The NHS Wales Shared Services Partnership Recruitment Services directorate that administer the processes that involve Recruitment for NHS Wales, is the holder and user of your information.
 
-  What types of personal information do we use for recruitment?
 
The information listed below, that you provide as part of your application form, will be used for Recruitment purposes.   By submitting an application for an NHS Wales organisation you are permitting data that is  already held by your employer to transfer with you to enable a safe and efficient recruitment process if you move to any other position within NHS Wales (or England).
 
The transfer of personal data is managed through the ESR inter authority transfer (IAT) process. This data includes:  
                                              
- Contact names, addresses, telephone numbers, date of birth;
- Personal information that includes gender, race, ethnicity, sexual orientation, religious beliefs (where you have provided this information);
- Medical information including physical health or condition (if provided);
- Employment history; including assignment history, pay scale point, increment date and service dates (to ensure correct payment) 
- Training and education
- References;
- Qualifications;
- Passport / Driving License information;
- Work permits (where applicable);
- Criminal record history (where applicable).
- Sickness absence
- Professional registrations
- Immunisations and vaccinations (this information is restricted to Occupational Health professionals and secured through User Responsibility Profiles)
 
We also collect documentation as evidence as part of our mandatory pre-employment checks, this includes items such as:
 
Identity document information for example Passport and Driving licence
- Utility bills;
- Right to work information
 
This information may be collected from you via a Face to Face pre-employment check meeting, via our Identity Document Validation Technology (Trust ID) or via email. It will be retained on your personal file and may be used for future recruitment purposes if you move to another role within NHS Wales
 
If you do not wish for your identity document and pre-employment information to be reused for this purpose. Please contact the Recruitment Helpdesk on 02921 500200.
 
Please note, where the Trust ID system is used to verify your address as part of Pre-employment checks, this will be checked via Equifax and will show as a soft search on your credit report. This does not affect your credit rating.
 
Where a satisfactory DBS check is required for the role, this will form part of a conditional offer. In the event that a DBS certificate contains information, the successful applicant will be required to provide the DBS certificate to NWSSP Recruitment Services or the Recruiting manager to enable a recruitment decision to be made.
 
The recipients of your data (as a Data Controller) will be the employing Health Board/Trust that you have transferred to. Your current employer who will perform the processing and transfer of your data to the new employer, will only be the Data Controller for the time you are employed with that specific organisation and will effectively be a Data Processor in passing that information across. The system supplier and the software used in transfer of data is effectively a Data Processor and has been procured through a contract for use by all Health Boards and Trusts.
 
The NWSSP also runs regular reports on performance and activity by NHS Wales Health Boards. Anonymous information is also provided for equal opportunities analysis.
 
We may also use your email address to issue surveys for customer and candidate feedback in order to enhance our service.
 
-  What is the purpose of processing information?
 
The ESR Hire to Retire work programme was established to achieve the following objectives:
 
- Maximise efficiencies through use of ESR and interfacing workforce technologies
- Improve the employee on-boarding experience through automating and streamlining workforce processes whilst removing duplication and waste
 
Underpin NHS Wales workforce policies and strategies including:
 
- Reducing recruitment timescales
- Improving occupational health timescales and processes
- Maximising ESR interfaces including NHS Jobs, TRAC, Cohort and OPAS G2 Occupational Health Systems, Trust ID, Equifax, ESR interfaces and data portability using the ESR IAT
- Improving employee engagement and retention
- Management of learning (including digital learning), talent and performance
 
As an applicant for a job within NHS Wales, we will only use your information for Recruitment purposes and to conduct pre-employment checks for Safe Recruitment, and to reuse those checks for speedy recruitment and to save costs should you apply for a job within NHS Wales in the future.
 
Where we ask for your consent (permission), any refusal may result in withdrawal of the post offer due to various standards and the legislation that NHS Wales must adhere to at all times.
 
We will also use your information without permission only where it is justified by law. These may include allegations of fraud, where an applicant has lied on their application form or where someone has provided false documentation or qualifications.
 
The electronic staff record (ESR) is the Wales and England NHS workforce solution. In accepting employment with the Health Board / Trust, you accept that key data will be transferred or input into ESR to effectively manage recruitment and other workforce processes leading to improved efficiencies, safe employment and improved patient safety.
 
For purposes of clarification, the Health Board/Trust you work for is a Data Controller (responsible for the data held) of your information, whilst the ESR system and the processes within as well as the NWSSP, are Data Processors of your information.
 
-  Sharing your information
 
There are reasons why we share information for recruitment purposes.
 
This is normally for the application/recruitment process that includes:
 
- Administration of the NHS Jobs/Trac/Capita/Electronic Staff Record (ESR) and, Trust ID, Equifax and Cohort and OPAS G2 Occupational Health systems;
- Shortlisting potential applicants;
- Interviewing all shortlisted applicants;
- Performing Pre-Employment Checks (PEC checks) utilising Trust ID Software (where applicable) to digitally verify Right to Work and Identity documents and checking address against two sources such as Equifax for DBS Identity purposes; and
- Appointing successful applicants to the role applied for.
 
Under the law, your information is shared only with those recruiting managers that are responsible for the recruitment process to a vacant post within their department. This is so that only the appropriate people work together to recruit staff for the benefit of you and the NHS.
 
The lawful basis for utilising the ESR IAT and other workforce interfaces is legitimate interests. The processing is necessary for the organisation’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those interests.
 
In particular, GDPR Article 6 (Lawfulness of Processing):
 
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
 
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
 
The use of special category data Article 9(26)(h) has a legal basis for processing personal data is also pertinent to the transference of immunisation and vaccination data.
 
The sharing of personal data through secure ESR processes provides a more streamlined, safe and seamless on-boarding experience for the applicant whilst removing duplication, waste and process delays caused by alternative manual interventions and paper driven processes.
 
NHS organisations therefore have a legitimate interest in processing data in this way using the ESR IAT and interfacing workforce technologies.
 
It is important to note that anyone receiving information about you is under a legal duty to keep it confidential. We only request, use and share the minimum information necessary. 
 
We will never sell your information and we will not share it without the appropriate legal authority.
 
-  Security of your Information
 
The NWSSP takes responsibility to look after your personal information very seriously. This is regardless of whether it is electronic or in paper form.
 
We also employ someone who is responsible for managing information and its confidentiality to ensure:
 
- Your information is protected; and
- Inform you how it will be used.
 
All staff are required to undertake training on a regular basis. Comprehensive training is required to help protect the information that has been given to the NWSSP.  The training makes sure that all staff working in the NHS are aware of their responsibilities about the handling of your information regardless of the department that they work in.
 
-  What are you entitled to?
 
The NWSSP will make sure that you are able to have access to your information. This is so that you know what we hold.
 
You have the right:
 
- To know about details of how your information is used; and
- Have copies of your information.
 
If you want to know more please contact the NWSSP Information Governance Manager for further information about your rights of access.
 
The NWSSP tries to answer all requests for access to information as quickly as possible. The organisation is obliged to provide a response to your request within a month of receiving it, but this can be extended if the request is complex and extensive.
 
These rights relate only to your own information. You can request to see another person’s information, if one of the following applies:
 
- Parent/legal guardian of a child too young to exercise own legal rights
- Where someone (with mental capacity) has authorised the individual to operate on their behalf
- Under the terms of the Mental Capacity Act
 
The NWSSP will look at your request to make sure that the information requested is personal information. Most of the time, it will be clear that the information is personal but the NWSSP will contact you if it is not clear.
 
Do I have to pay a fee?
 
In most cases, the information will be provided free.
 
However, we could ask for a small fee. This is where the request is large or repeated.
 
This will be based on the cost of providing it. If you wish to find out more about fees for information, then please contact the NWSSP Information Governance Manager.
 
How will information be provided?
 
The information will be provided in a format that can be used on another system easily if it is electronic (i.e. Microsoft Word or Excel). Otherwise, it will be supplied on paper.
 
-  Permission (consent)
 
For the use of your personal information to be lawful, the NWSSP may ask for permission from you. This is not necessary if the use is for a lawful basis under current regulation such as for Recruitment purposes.
 
Any permission (consent) that is collected from you should have been given freely and you have not been pressured to do so. This should have been done clearly and you are aware of what the use of your information means.
 
Informing you and obtaining your consent
 
If your permission is asked for, you will be provided with information regarding this by use of this Privacy Notice. This will explain what you are being asked to give permission for. The NWSSP will have to prove that it gave you information and that you were fully aware of what you were giving permission for.
 
If permission is requested, you could provide this in several ways that include by writing, ticking a box on a web page, by choosing options in a mobile phone app, or by any other action that shows your acceptance of the use of your information.
 
-  What about stopping use? erase of data?
 
Although the legal bases for processing are clear above, the NWSSP will consider a request for stopping use that is received. However, the NWSSP will store information but will not use it anymore. In the Hire to Retire programme processes, it is highly unlikely that the data will be able to be subject to this as it is in connection with your recruitment.
 
However, any changes that include the stopping of the use of your information will be told to you at the time regardless of the service or department involved. Any restriction of erasure of your information will be considered on a case by case basis but requests for erasure and/or correction will be considered.
 
However, any withdrawn or unsuccessful job applications or applications that did not complete pre-employment checks will be retained for 13 months and destroyed after this time.
 
-  Automated decision taking
 
The NWSSP also provides safeguards against risks that involve processes that include automated decision-making.
 
This applies to you when:
 
- It is an automatic process; and
- There is a legal effect on decision made with your information.
 
 
NWSSP may take a small number of automated decisions with your information but there is mostly some human involvement in this. For example, checking/validating national competences before approving and committing these competences to the employee’s ESR record.
 
However, the NWSSP will take steps to identify how many automated decisions it makes and whether these are acceptable.
 
The NWSSP will ensure that any automated profiling is fair and lawful. The NWSSP will use correct procedures, to include reducing errors and where data is not accurate.
 
Successful applicants 
 
If your application is successful, your data is downloaded into the Electronic Staff Record (ESR) system.
 
The ESR system also interfaces with other systems such as the Nursing and Midwifery Council (NMC) Register, the Occupational Health System and the Disclosure and Barring Service (DBS) Update Service
 
Where a DBS check outcome is recorded for you in ESR, the ESR system will perform a search on the DBS update service. This in order to establish if you have a live DBS certificate with the DBS Update Service. If a match is found the interface will then check the update service every 60 days.
 
-  What about rights to correct or delete inaccurate information?
 
You are entitled to request that the NWSSP correct any mistakes in your information.
 
The NWSSP must ensure that proven inaccurate or incomplete information is either erased or corrected.
 
Keeping your information
 
Records are stored in line with local Records Management Code of Practice for retention and disposal schedule. This determines the minimum length of time records should be kept.
 
These include (for example):
 
Personnel files – 6 years after leaving service
Annual Leave Records– 2 years
 
The Trac Recruitment system has data retention rules in place, whereby an applicant file will be deleted from the system, 400 days from the date the application was submitted.
 
Successful applicant records will also be deleted after 400 days unless a start date is agreed and recorded in Trac, then there will be an additional 200 days until the applicant file is deleted.
 
Making a complaint
 
If you wish to make a complaint about any issues you have experienced regarding your information, then please contact:
 
Tim Knifton
Information Governance Manager
[email protected]
 
If you are still unsatisfied following your complaint and this remains unresolved, you have the right to make a complaint to the:
 
By post
Information Commissioner’s Office,
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
The electronic address for complaints is via the portal at: https://ico.org.uk/make-a-complaint/
 
Wales bilingual contact details are
[email protected]
0330 414 6421
 
Other systems 
 
An ESR Self Service support Hub has been established to support employees and managers in their use of ESR to perform workforce processes (for example - how to book annual leave, view your payslip, manage absence).
 
The software support application (Zen Desk) will enable you to easily communicate to the ESR support Team using phone, email and chat facilities. You will be required to confirm your identity by stating your name, ESR employee number and nature of the query. Please do not volunteer any other personal information. 
 
 
Further information
 
For more information relating to this leaflet or questions on the content of this information, please contact NWSSP via email or telephone as below; 
 
Email: [email protected]
 
Phone: 02921 500200
 
Website: http://nww.employmentservices.wales.nhs.uk/recruitment