Privacy Policy

We need to collect and process Personal Data that relates to employees in connection with their employment. This Notice is to explain how we use and safeguard that Personal Data.

What is a Privacy Notice?

Find out about privacy notices and what they should include. The UK General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.

A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.

In addition Central London Healthcare Ltd (CLH) may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law. No matter how it is collected, recorded and used (such as, on a computer or other digital media, on hardcopy, paper or images, including CCTV) this personal information will be dealt with properly to ensure compliance with data protection legislation – the European General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA2018) which implements the GDPR in the UK.

We may collect and use personal data for the functions that we exercise jointly with the NHS.
HCL fully support and we are able to demonstrate compliance with the six principles of Data Protection Act 2018 which are summarised below:

  • Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals;
  • Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Personal data processed must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Information covered by data protection legislation

The GDPR definition of “personal data” covers any information relating to an identified or identifiable natural person – i.e. living individuals. Pseudonymised personal data is covered, however anonymised or aggregated data is not regulated by the GDPR or DPA2018, providing the anonymisation or aggregation has not been done in a reversible way.

Individuals and individual employee from which they can be identified can be identified by various means including their:

It may include but may not be limited to the following:

  • Personal contact information such as name, title, address, telephone number(s) and personal and/ or company email addresses.
  • Date of birth.
  • Gender.
  • Marital status and details of next of kin or dependents.
  • Employment records (including job titles, start date, work history, working hours, training records and professional memberships).
  • Workplace location.
  • Salary and benefit details and history including payroll records and tax records/information.
  • Holiday and absence records.
  • Copy documents such as passport or driving license or other identification document provided to us as part of our legal obligation to check an employee’s right to work in the UK.
  • Recruitment information (including references and other information included in a CV or cover letter or as part of the job application process).
  • Information relating to qualifications and performance including appraisal records.
  • Disciplinary and grievance information.
  • CCTV footage, photographs and other information obtained through electronic means such as swipe card records, time and attendance data and/or data from vehicle tracking software.
  • Information about an employee’s use of our information and communications systems.
  • Telephone conversation recordings and activity related to making and receiving telephone calls.

How is Personal Data collected?

Typically an employee will have provided Personal Data or we have recorded Personal Data about the employee in connection with or in the course of their employment. Occasionally we are passed Personal Data by a third party such as our payroll provider, HR advisers or training providers.

For what purposes is Personal Data used?

We will only use Personal Data when the law allows us to which can be summarized under the following headings:

  1. Consent: an individual has given clear consent for us to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract we have with the individual or because they have asked us to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for us to comply with the law.
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party. Details of the Personal Data that we are most likely to process are set out in Appendix One.

How we keep your information confidential and safe

Everyone working for our organisation is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient unless there are other legal bases covered by the law.

All our staff are expected to make sure information is kept confidential and receive regular training on how to do this.

The health records we use may be electronic, on paper, or a mixture of both. We use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Your records are backed up securely according to our standard procedures, NHS policies and in accordance with DPA 2018 . We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.

We also make sure external organisations who process your personal information in order to support us are contractually required to have appropriate organisation and technical measures to protect your personal data.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018;
  • UK GDPR;
  • General Data Protection Regulation (GDPR) 2016;
  • Human Rights Act 1998;
  • Common Law Duty of Confidentiality;
  • NHS Codes of Confidentiality and Information Security;
  • Health and Social Care Act 2012 and 2015;
  • And all other applicable legislation.

We will maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.

Children and Families

We use the data we gather from children, young people and families we are supporting for the sole purpose of providing the best care and support that we can provide to them. This might also include being able to evaluate the quality of support we have given and audit our practices in order to improve our services.

We will share information where we believe that the sharing of that information is in the best interests of supporting a child or young person. Where it is legally required to do so, and prior to the sharing of any information, we will obtain the necessary consent of relevant parent/guardian.

We take our responsibility to safeguard the welfare of children, young people and vulnerable adults very seriously. We are legally obliged to pass on personal information to the relevant authority if we thought a child, young person or vulnerable adult was at risk. When you begin to receive a service, you will be notified of how your personal data will be used and under what circumstances shared. We will also continue to update you through privacy notices such as this one.

If you are receiving a service from us, we would collect your personal data as part of receiving that service. This might include quite sensitive information relating to the support we are providing to you.

If you are under 13, we will need to get consent, when required by law, from the relevant adult/s who act as your parent/guardian to hold your personal information.

Sometimes another agency (like a school, GP or local authority) might have information that they want to pass onto us, but we would only take that data where we have a lawful basis to do so.

What rights and obligations do Employees have?

Duty to inform us of changes

It is important that Personal Data is kept accurate and up to date. Employees should please advise us if their personal information changes whilst they are employed by us.

Rights in connection with Personal Data

Under certain circumstances, individuals have the right to:

  • Request a copy of their Personal Data (commonly known as a “data subject access request”). This enables them to receive a copy of the personal information we hold about them and to check that we are lawfully processing it.
  • Request correction of the Personal Data that we hold about them.
  • Request the erasure of Personal Data. An individual may ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. An individual may also request that we stop processing Personal Data where we are relying on a legitimate interest and there is something about their particular situation which permits an object to processing on this ground.
  • Request the restriction of processing of Personal Data for example until its accuracy or the reason for processing it is more clearly established.
  • Request the transfer of Personal Data to another party. Individuals who wish to review, verify, correct or request erasure of Personal Data, object to the processing of Personal Data, or request that we transfer a copy of Personal Data to another party, please contact our nominated Data Controller

Distribution and Implementation

This document will be made available to all staff via the intranet site. A notice will be issued in the staff bulletin notifying of the release of this document.

Training Plan

A training needs analysis will be undertaken with staff affected by this document by the Corporate Information Governance team in conjunction with the Data Protection Officer.

Based on the findings of that analysis appropriate training will be provided to staff as necessary.


Compliance with the policies and procedures laid down in this document will be monitored via the Data Protection Officer a and the Corporate Information Governance team, together with independent reviews from Internal Audit

What we may need to comply with a Data Subject Access Request

We may need to request specific information to help us confirm a lawful right to access the information (or to exercise any other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to access it.

Equality Impact Assessment

This document forms part commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity), as well as to promote positive practice and value the diversity of all individuals and communities.

As part of its development this document and its impact on equality has been analysed and no detriment identified.


No fee is usually required to access Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Right to withdraw consent

In certain circumstances consent may be required to the processing of Personal Data. Where an employee provides such consent to the processing of Personal Data for a specific purpose, that employee has the right to withdraw consent for that specific processing at any time. To withdraw consent, please contact the nominated Data Controller. Once notification is received that consent has been withdrawn, we will no longer process Personal Data for the said specific purpose, unless we have another lawful basis to do so.

Our Data Protection Officer

We will have in place a Data Protection Officer at all times so far as is possible. At the date of issue of this Privacy Notice we have appointed the person. The Data Protection Officer will oversee compliance with this Privacy Notice. For any questions about this Privacy Notice or how we handle Personal Data, please contact the Data Protection Officer using the contact details included.

Making a complaint

Individuals have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters.

Amending this Privacy Notice

We may update this Privacy Notice from time to time and we will issue a new privacy notice when we make any material changes including when we the identity of the Data Protection Officer changes.

Terms of Usage

Accuracy of information

Occasionally there may be information on the Website that contains typographical errors, inaccuracies or omissions that may relate to product descriptions, pricing, promotions and offers. We reserve the right to correct any errors, inaccuracies or omissions, and to change or update information on the Website. No specified update or refresh date applied on the Website should be taken to indicate that all information on the Website has been modified or updated.

Prohibited uses

In addition to other terms as set forth in the Agreement, you are prohibited from using the Website: (a) for any unlawful purpose; (b) to solicit others to perform or participate in any unlawful acts; (c) to violate any international, federal, provincial or state regulations, rules, laws, or local ordinances; (d) to infringe upon or violate our intellectual property rights or the intellectual property rights of others; (e) to harass, abuse, insult, harm, defame, slander, disparage, intimidate, or discriminate based on gender, sexual orientation, religion, ethnicity, race, age, national origin, or disability; (f) to submit false or misleading information; (g) to upload or transmit viruses or any other type of malicious code that will or may be used in any way that will affect the functionality or operation of the Website and Services, third party products and services, or the Internet; (h) to spam, phish, pharm, pretext, spider, crawl, or scrape; (i) for any obscene or immoral purpose; or (j) to interfere with or circumvent the security features of the Website. We reserve the right to terminate your use of the Website for violating any of the prohibited uses.

Intellectual property rights

“Intellectual Property Rights” means all present and future rights conferred by statute, common law or equity in or in relation to any copyright and related rights, trademarks, designs, patents, inventions, goodwill and the right to sue for passing off, rights to inventions, rights to use, and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, rights to claim priority from, such rights and all similar or equivalent rights or forms of protection and any other results of intellectual activity which subsist or will subsist now or in the future in any part of the world. This Agreement does not transfer to you any intellectual property owned by the Operator or third parties, and all rights, titles, and interests in and to such property will remain (as between the parties) solely with the Operator. All trademarks, service marks, graphics and logos used in connection with the Website are trademarks or registered trademarks of the Operator or its licensors. Other trademarks, service marks, graphics and logos used in connection with the Website may be the trademarks of other third parties. Your use of the Website grants you no right or license to reproduce or otherwise use any of the Operator or third party trademarks.

Changes and amendments

We reserve the right to modify this Agreement or its terms relating to the Website at any time, effective upon posting of an updated version of this Agreement on the Website. When we do, we will revise the updated date at the bottom of this page. Continued use of the Website after any such changes shall constitute your consent to such changes.

Contact information

Questions about the Terms of Service should be sent to us at

Cookie policy

Privacy and cookies

This policy details how we use Cookies and what you can do to if you do not want us to place Cookies onto your computer.

We use cookies on this site to track user activity and to enable various types of functionality.
This websites will work without cookies, but you may lose some features and functionality if you choose to disable cookies. For example, you won’t be able to publish a page to Facebook, or ‘like’ a page via Facebook.

What is a cookie?
A cookie is a small text file that is stored on your computer or mobile device by a website’s server and only that server will be able to retrieve or read the contents of that cookie.

Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier and the site name and some digits and numbers.

It allows a website to remember things like your preferences or what’s in your shopping basket.

Please note that all of these Cookies on our websites exist to enable functionality on the website and not for advertising purposes.

We do use Google analytics (they use Cookies) this allows us to see which pages of our website are being looked at and which are not. This allows us to remove unused areas and pages for example.

Some people find the idea of a website storing this type of information on their computer or mobile device intrusive.

If you don’t want to receive cookies, you can modify your browser so that it notifies you when cookies are sent to it or you can refuse cookies altogether. You can also delete cookies that have already been set.

If you wish to restrict or block web browser cookies which are set on your device then you can do this through your browser settings; the Help function within your browser should tell you how.

Alternatively, you may wish to visit, which contains comprehensive information on how to do this on a wide variety of desktop browsers.

There are two types of cookies you may encounter when using this website:

First party cookies:
These are our cookies, controlled by us, written to your computer by us.

We do not use First party cookies, in public areas of our websites.

Third party cookies:

These are cookies found in other companies’ internet tools which we are using to enhance our site, for example Facebook, Twitter and YouTube, have their own cookies, which are controlled by them.

We sometimes use Third party cookies, in our websites.

  • Cookies with names prefixed by __utm – Stores information used by Google Analytics to track user activity on the site.
  • pid, k, guest_id, _twitter_sess, original_referer,external_referer, js, – Twitter cookies which allow content from Twitter to be shown on website pages and pages to be shared on Twitter.
  • datr, lu, s, locale, c_user, xs – Facebook cookies which allow sharing of a page on Facebook.
  • VISITOR_INFO1_LIVE Stores information used by YouTube to track video use.

If you have any questions or concerns about the cookies used on this site feel free to drop us a line and we will do our best to help.

More information about cookies
If you do not want these cookies to be tracked you can disable them in your browser.
You may wish to visit

Appendix One

Data Processing

The situations in which we are most likely to process Personal Data are in connection with the following processes set out below:

  • Dealing with recruitment or appointment and termination matters including the assessment of experience, qualifications and overall suitability for a particular role.
  • Determining an individual’s employment terms and the subsequent administration of matters connected with the employment relationship.
  • Checking upon an individual’s legal entitlement to work in the UK.
  • Checking upon an individual’s unspent convictions through the completion of a basic Disclosure and Barring Service check.
  • Checking upon an individual’s spent/unspent convictions through the completion of a standard Disclosure and Barring Service check but only limited to those individuals who carry out regulated activities with patients.
  • Payroll and benefit provision.
  • Managing our business including accounting, forecasting, planning, scheduling and auditing.
  • Conducting appraisals, managing performance and determining performance requirements.
  • Dealing with grievance and disciplinary matters.
  • Dealing with training and development requirements and related issues.
  • Dealing with conflicts and disputes involving employees.
  • To monitor use of our information and communication systems to ensure compliance with our IT policies.
  • Managing absence including assessing fitness to work.
  • Health and safety matters including compliance.
  • To prevent fraud.
  • Equal opportunities monitoring and advice. We believe that we have a legitimate interest in processing the above Personal Data in the context of the overall employment relationship. Some of the above grounds for processing may overlap and there may be several grounds which justify our use of Personal Data.

Appendix Two

Our safeguarding measures

Please note that we do not transfer any Personal Data to countries or territories that do not have adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

We do not use any Personal Data for automated decision making or other form of profiling.

We aim to keep Personal Data accurate and up to date. Data that is out of date or inaccurate will be amended when we are made aware of that. Employees should notify us if they become aware of any inaccuracies in their Personal Data held by us.

We will not keep Personal Data for longer than is permitted. This means that data will be destroyed or erased from our systems when it is no longer lawfully required. For regulatory purposes we are required to keep certain Personal Data for a six-year period after which it is securely destroyed.

We have in place procedures and solutions to maintain the security of all personal data from the point of collection to the point of destruction and have taken appropriate measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data. For example, we take the following steps to protect data:

  • Staff are trained in relation to the importance of privacy and data security.
  • Laptops are protected by encryption.
  • Electronic files can only be accessed via password logins We will only pass Personal Data to third parties where we are lawfully obliged to do so. For example, an employee may ask us to provide their salary details to a building society when they apply for a mortgage, or we may lawfully pass data to our payroll adviser in order to ensure that employees are paid.

We will not disclose Personal Data to a third party without consent unless we are satisfied that they are legally entitled to the data. Where we do disclose Personal Data to a third party without consent, we will only do so where that third party has confirmed that it has in place adequate measures to protect Personal Data.

Appendix Three

Our nominated Data Protection Officer

Mr Charles Oguntoye