{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Accessing Staff Data-GDPR Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} manages staff data in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Staff personal data is collected, processed, stored, and accessed only for legitimate business purposes, ensuring transparency, confidentiality, and compliance with Care Inspectorate Scotland regulations.

Our commitments include:

• Ensuring staff personal data is processed lawfully, fairly, and transparently.
• Implementing appropriate security measures to protect personal data from unauthorised access.
• Providing staff with clear information on how their data is collected, used, and stored.
• Granting access to staff data only where necessary and with appropriate authorisation.
• Enabling staff to exercise their data rights under GDPR.

2. Scope

This policy applies to:

• All employees, including full-time, part-time, and agency workers.
• HR personnel and managers responsible for data handling.
• IT personnel and third-party service providers processing or storing staff data.
• Regulatory bodies such as the Care Inspectorate, HMRC, and the Scottish Social Services Council (SSSC) where data sharing is legally required.

3. Legal and Regulatory Framework

This policy aligns with:

• UK General Data Protection Regulation (UK GDPR).
• Data Protection Act 2018.
• Care Inspectorate Scotland requirements for data protection.
• Scottish Social Services Council (SSSC) Codes of Practice.
• Freedom of Information (Scotland) Act 2002 (where applicable to public sector contracts).
• Employment Rights Act 1996, governing employment record-keeping.

4. Lawful Processing of Staff Data

Under GDPR, staff data must be processed under at least one lawful basis. At {{org_field_name}}, we process staff data under:

• Contractual necessity – To fulfil employment contracts and payroll obligations.
• Legal obligations – To comply with employment laws, tax regulations, and regulatory reporting requirements.
• Legitimate interests – To manage human resources, training, and internal operations.
• Consent – When explicit permission is required for specific data processing (e.g., staff photographs for marketing purposes).

5. Categories of Staff Data Collected

{{org_field_name}} collects and processes the following categories of staff data:

• Personal Identification Data – Name, address, date of birth, contact details, national insurance number.
• Employment Records – Employment contracts, job descriptions, performance reviews, disciplinary records.
• Financial Data – Salary details, tax codes, pension contributions, bank account details.
• Health and Wellbeing Data – Occupational health records, sickness records, disability adjustments (processed under GDPR special category rules).
• Training and Compliance Records – Qualifications, CPD logs, SSSC registration details, mandatory training records.
• IT and Security Data – Email accounts, system access logs, security pass records.

6. Data Access and Authorisation

To ensure security and compliance, staff data access is strictly controlled:

• HR and Payroll Personnel – Access to employment contracts, payroll information, and benefits.
• Line Managers – Limited access to job-related performance data and attendance records.
• IT Administrators – Access to user accounts for system maintenance and security monitoring.
• Regulatory Authorities (e.g., Care Inspectorate, HMRC, SSSC) – Data shared only where legally required.

Staff are not permitted to access personal data of colleagues unless explicitly required for their role.

7. Data Storage and Security Measures

7.1 Physical Security

• Paper records are stored in locked filing cabinets, accessible only to authorised personnel.
• Restricted office access to HR and payroll areas.

7.2 Digital Security

• Staff data is stored on secure, password-protected systems.
• Multi-factor authentication (MFA) is used for sensitive systems containing personal data.
• Role-based access controls (RBAC) ensure staff only access the data necessary for their duties.
• Regular cybersecurity audits are conducted to identify vulnerabilities.

8. Data Retention and Disposal

8.1 Data Retention Periods

{{org_field_name}} retains staff data only for as long as necessary to fulfil legal and operational requirements:

• Payroll and tax records – Retained for 6 years (HMRC compliance).
• Employee records – Retained for 6 years after termination of employment.
• Training and SSSC compliance records – Retained for 5 years.
• Occupational health records – Retained for 40 years if related to health surveillance.

8.2 Secure Data Disposal

• Paper records are shredded using a cross-cut shredding process.
• Electronic data is securely erased using industry-standard data wiping techniques.
• Backups containing personal data are deleted according to retention schedules.

9. Staff Rights Under GDPR

All staff have the following rights regarding their personal data:

• Right to Access – Employees can request copies of their personal data.
• Right to Rectification – Employees can request corrections to inaccurate information.
• Right to Erasure (Right to be Forgotten) – Employees can request data deletion under certain conditions.
• Right to Restriction of Processing – Employees can request limited use of their data.
• Right to Data Portability – Employees can request their data in a machine-readable format.
• Right to Object – Employees can object to certain types of data processing.
• Right Not to be Subject to Automated Decision-Making – Employees have the right to human intervention in automated HR decisions.

Requests must be submitted in writing to {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}, Data Protection Officer, who will respond within one month.

10. Data Breaches and Incident Response

10.1 Reporting a Data Breach

All suspected data breaches must be reported immediately to the Data Protection Officer (DPO). Examples of breaches include:

• Unauthorised access to personal data.
• Loss or theft of physical or digital records.
• Accidental sharing of confidential data with unauthorised parties.

Contact:

Email: {{org_field_data_protection_officer_email}}

Phone: {{org_field_data_protection_officer_phone}}

10.2 Incident Management

• The DPO will investigate the breach and assess risks.
• If the breach poses a risk to staff rights, the ICO (Information Commissioner’s Office) is notified within 72 hours.
• Impacted employees will be informed of the breach and remedial actions taken.

11. Staff Responsibilities

All staff at {{org_field_name}} must:

• Handle personal data responsibly and comply with GDPR principles.
• Report any concerns about data security breaches or misuse.
• Only access personal data when authorised to do so.
• Complete GDPR training as required by the organisation.

Failure to comply with data protection policies may result in disciplinary action.

12. Monitoring and Continuous Improvement

To ensure ongoing compliance, {{org_field_name}}:

• Conducts annual data protection audits.
• Provides regular GDPR training for all staff.
• Updates policies in response to legal or operational changes.

13. Related Policies

This policy should be read alongside:

• Data Protection and Confidentiality Policy.
• IT Security Policy.
• Whistleblowing Policy.
• Staff Training and Development Policy.

14. Policy Review

This policy will be reviewed annually or sooner if regulatory changes require amendments.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.