Privacy Notice for Staff

This Privacy Notice sets out important details about information that BMI Healthcare may collect and hold about you, how that information may be used and your legal rights.  Please take time to read this Privacy Notice carefully and contact us if you have any questions about its content.

This Privacy Notice applies to all BMI Healthcare employees, as well as to bank and agency workers at our hospitals and other sites.  We have prepared a separate Privacy Notice for individuals applying for roles with BMI Healthcare and you may find that document also helpful to understand what information we collect and hold about you during the recruitment process, particularly as a copy of that information will also be retained within your employment file.  A copy of the Privacy Notice for job applicants can be found on our website.

We will review this Privacy Notice on a periodic basis and we advise you to check back on our website for the latest version.

Who has information about me?

Our hospitals are run by BMI Healthcare Limited.  Some of our hospitals (BMI Southend Private Hospital, BMI Three Shires Hospital and BMI Syon Clinic) and some of the services in some of our hospitals (the oncology service at BMI Beardwood Hospital and the imaging services at BMI Mount Alvernia Hospital and BMI Three Shires Hospital) are owned by partner companies, each of which has a management contract with BMI Healthcare and forms part of the BMI Healthcare group.  A partner company also owns the CT and MRI scanners at BMI The Meriden Hospital; this service is managed by UME.  Our decontamination business is run by a sister company to BMI Healthcare and forms part of the BMI Healthcare group. 

All these companies are registered at BMI Healthcare House, 3 Paris Garden, Southwark, London SE1 8ND and their full names and registered company numbers are as follows:

  • BMI Healthcare Limited – 02164270
  • BMI Hospital Decontamination Limited - 06003075
  • Three Shires Hospital LLP – OC398963
  • BMI Southend Private Hospital Limited – 05155289
  • BMI Syon Clinic Limited – 05706302
  • North West Cancer Clinic Limited (05706220) - BMI Beardwood Hospital oncology service
  • BMI Imaging Clinic Limited (05706274) - imaging service at BMI Mount Alvernia Hospital
  • The Pavilion Clinic Limited (06061941) – imaging service at BMI Three Shires Hospital
  • Meriden Hospital Advanced Imaging Centre Limited (05607465) – MRI and CT service at BMI The Meriden Hospital

Each of these companies may, to the extent relevant, collect, retain and use information about you and we refer to these collectively as ‘BMI Healthcare’ in this document.

External websites

We may from time to time include on our websites links to and from the websites of other organisations. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies and notices before you submit any personal data to these websites.

Where did you get this information from and what information does BMI Healthcare hold about me?

We have information about you which you have supplied to us when applying for a role with BMI Healthcare, by uploading it to our recruitment website, sending information to us by post or by email, or by providing this information to us over the telephone.  We also have information about you which you will have provided to us on starting your role and during your employment or engagement with BMI Healthcare. Some of this information may have been provided to us by an agency. 

The information we hold includes your name and contact details (postal and email addresses and phone numbers) as well as details of any work permit, your qualifications, professional registrations and experience and a copy of your CV.  We will also have details of any criminal convictions which we have obtained from you and/or from the Disclosure & Barring Service or Disclosure Scotland. We will also hold information about you and your suitability for the role which you have provided to us during any interview or other discussions, as well as references obtained from third parties and confirmation of qualifications from professional and/or educational bodies (such as the Nursing and Midwifery Council (NMC) and the Health and Care Professions Council (HCPC)).  On occasion, we may also hold information from HMRC or the Home Office.

We will hold appraisal and training records, salary and payroll details and records of any disciplinary or grievance processes which you have been involved with as well as details of your next of kin, any sickness absence, fit notes issued by your General Practitioner, occupational health referrals and maternity, paternity or parental leave taken. 

Some of this information may be of a more sensitive nature, such as your current or previous physical or mental health, your sex life and/or sexual orientation, your religion, nationality, race and/or ethnicity and genetic or biometric data relating to you.  We refer to this as ‘more sensitive information’ in this Privacy Notice.

In order for us to manage your employment or other engagement with us, we ask that you provide as much information to us as you can.  You are of course free not to disclose information to us and you should only provide such information as you feel comfortable doing so.  Please bear in mind, however, that if you are only willing to share limited information, this could impact on your employment with us and may (in certain circumstances) result in you being subject to our disciplinary processes or, in an appropriate circumstances, a referral being made to your professional body or regulatory authority.

How will BMI Healthcare use the information it holds about me?

We use information about you in connection with your employment or other engagement with BMI Healthcare and this includes:

  • Communicating with you in relation to your role with BMI Healthcare
  • Ensuring you have (and continue to have) the necessary skills, qualifications and competence to fulfil your role with BMI Healthcare
  • Paying you and administering benefits such as pension contributions, private medical insurance and life assurance
  • Ensuring you are fit to work and that we know of any reasonable adjustments required to enable you to perform your role
  • Maintaining records about those who work within our hospitals and other sites
  • Investigating and where appropriate, sharing, concerns raised or otherwise identified about you or your work
  • Complying with legal or regulatory requirements

It is necessary for us to use information about you as described above as part of the employment or other contract that exists between us.  We need to hold and use more sensitive information about you in order to carry out our employment and social security law obligations and to assess your working capacity.

Given the nature of our business, we carry out a criminal records check in order to satisfy ourselves that there is nothing in your criminal convictions history that makes you unsuitable to work at a BMI Healthcare hospital or other BMI Healthcare site.  The level of check will depend on the particular role and we have in place appropriate safeguards which we are required by law to maintain when processing such information. We consider the use of such more sensitive information to be necessary for reasons of substantial public interest. 

We may also use more sensitive information to ensure meaningful equal opportunity monitoring and reporting and to ensure appropriate safeguards are taken to assure patient safety.

In certain circumstances, such use may also be necessary for reasons of substantial public interest and/or in order for us to establish, exercise or defend our legal rights. We may also use information about you where there is a legal or regulatory obligation on us to do so (such as the prevention of fraud) or in connection with legal proceedings. 

We may also use information about you for maintaining our business records and developing and improving our recruitment processes and monitoring outcomes where we believe there is a business need to do so and our use of information about you does not cause harm to you.

We may also use information about you where you have provided your consent to us doing so.

We do not carry out automated decision making or profiling.

Please see also the more detailed information in the sections below.

Will BMI Healthcare share information about me with others?

Yes; we set out these reasons below and assure you that in each case, we share only such information as is appropriate. 

Sharing information with BMI Healthcare staff who are involved in the recruitment process and in the day to day management of our staff and for ensuring the records we hold of those working in our hospitals and at our other sites are up to date. 

We will share information relating to you with those of our staff, including administrative staff, who are involved in the recruitment process and in the day to day management of our staff and in keeping our records of those working for us up to date. 

Sharing information about you with our occupational health team

Information about you may also be shared with our occupational health team (some of whom are not employed by BMI Healthcare but work with us under contracts which contain strict confidentiality provisions).

Sharing information with previous and current employers, staffing agencies, educational establishments and professional bodies (such as the NMC and HCPC)

We may share information relating to you with previous (and current) employers, staffing agencies, educational establishments and/or professional bodies to verify information you tell us about your previous experience, qualifications and professional registrations and/or to investigate or share concerns that may exist about you or your work.  We may also share information about you in connection with the revalidation processes of professional bodies.

Sharing information with third parties whose details you provide as referees

We may share information relating to you with previous employers, staffing agencies, and individuals whose details you provide to us to request a reference on your suitability for the role you have applied for. 

Sharing information with the Disclosure & Barring Service and Disclosure Scotland

Where we are required or entitled (in each case relevant to the role in question), we may share information relating to you with the Disclosure & Barring Service or Disclosure Scotland to confirm whether you have (and the details of) any criminal convictions. 

Sharing information with third parties who are not involved in the recruitment process, the day to day management of our staff or any of our checks

We may share information about you with external organisations such as our lawyers, auditors, financial, tax and public relations advisors and NHS organisations.  We may also share information about you with third party suppliers, which provide us with document scanning and storage facilities.  We may also share information about you with those providing us with information technology systems as well as clinical and non-clinical software applications (and related services) and website hosting.  In addition, we may share information about you with external organisations which provide us with electronic learning programmes and ILM assessments; some of these organisations may keep learner records separate to our own.  We may also share information about you with an external organisation which supports us in human resource matters including performance management, grievances and disciplinary proceedings.  We may also share information with third party suppliers which assist us in our employee engagement survey and our employee benefits schemes, including our health, pension and life assurance schemes. For those individuals working for us under the UK Government’s apprenticeship scheme, we may share information with the Department of Education (the government department responsible for that scheme).  In each case, we would share only such information as was relevant. 

Sharing information with patients, Consultants and advisors

We may share information about you with patients, Consultants and their (and our) advisors to respond to questions, complaints or claims, including from you.  In each case, we would share only such information as was relevant. 

Sharing with regulators or because of a legal obligation

We may share information about you with our regulators, including the Care Quality Commission, Healthcare Improvement Scotland and Healthcare Inspectorate Wales (which inspect our hospitals in England, Scotland and Wales respectively).  Other regulators with whom we may share information about you include the Medicines and Healthcare products Regulatory Authority (which ensures medicines and medical devices used in the UK work and are acceptably safe), the Human Fertilisation and Embryology Authority (which regulates and inspects all our clinics providing fertility services or which store eggs, sperm or embryos), NHS England (which leads the NHS in England), the Department of Health (the government department responsible for health and adult social care policy) and the Health and Safety Executive (the regulator responsible for overseeing workplace safety). 

Sometimes, we are required to disclose information about you because we are legally required to do so.  This may be because of a court order or because a regulatory body has statutory powers to access staff records as part of their duties to investigate complaints, accidents or professionals’ fitness to practise. Before any disclosure will be made, we will satisfy ourselves that any disclosure sought is required by law or can be justified in the public interest. Information about you may also be shared with the police and other third parties where reasonably necessary for the prevention or detection of crime.  On occasion, this may include the Home Office and HMRC.

Audits, surveys and initiatives

In common with other employers, we also look at the quality of our recruitment and employment processes.  We also provide NHS organisations with information to fulfil our obligations under the NHS Workforce Race Equality Standard, which helps ensure employees from black and minority ethnic backgrounds have equal access to career opportunities and receive fair treatment in the workplace.  We can assure you that your personal information remains under our control at all times and we ensure any information we provide outside of BMI Healthcare will not contain any information in which any member of staff can be identified, unless it is required by law.  Any publishing of this data will be in anonymised statistical form. 

Change of ownership

If we were to sell or transfer a hospital or part of our business to another organisation, your records would also transfer to the new owner.  Limited information may also be shared, where required, with legal and other professional advisors involved in that transaction. 

The reason we would transfer your records is to minimise the disruption to the on-going operation of the business and to ensure we and a new owner were able to comply with our legal obligations regarding the retention of such records, including the ongoing delivery of care to patients.

Where and for how long does BMI Healthcare store information about me?

The information about you that we hold and use is held securely in the United Kingdom and stored in paper format and on our secure servers (or those of our third party information technology provider).  However, where a referee, previous employer, staffing agency, educational establishment, professional body, patient or advisor is based overseas, we may transfer information about you to these, for the reasons described above. In addition, our third party information technology provider which supports our recruitment process uses some third parties based overseas to support its web hosting service and related software. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.

We retain your records for certain periods (depending on the particular type of record) under our retention of records policy.  We retain your file (including your application documents) generally for six years after you have left BMI Healthcare; with certain documents (such as annual leave records) retained only for two years following your departure.  This timeframe may be extended in the event of a complaint, legal proceedings or where we are required to do so by a regulatory body.  These timeframes are to ensure that information is properly managed and is available whenever and wherever there is a justified need for that information, including to support our legitimate interests, and to meet legal requirements.

If you would like more detailed information on this, please contact our Information Governance & Data Protection Officer (contact details below).

What rights do I have?

The law provides you with certain rights in relation to the information about you that we hold.  You may exercise these at any time by contacting our Information Governance & Data Protection Officer (contact details below) or as otherwise noted below.

There will not usually be a charge for handling a request to exercise your rights and if we cannot comply with your request, we will usually tell you why.  If you make a large number of requests or it is clear it is not reasonable for us to comply with a request, then we do not need to respond or we can charge for doing so.

Right of access

You have the right to access information held about you. This includes details of what information we hold about you and a copy of that information.  The information will be provided free of charge and, unless there are grounds for extending the statutory deadline, the information will be provided to you within one month of receipt of your request.  Please note we will generally also ask for confirmation of your identity and may need further information from you in order to locate the information, in which case the time period starts from the date we have that detail.  Please note that in some cases we may not be able to comply fully with your request, such as where your request also involves information about someone else and it would not be fair to that other person to provide the information to you.

Please contact the Information Governance & Data Protection Officer (contact details below) should you wish to exercise this right.

Right to rectification

We take reasonable steps to ensure the information we hold about you is both accurate and complete.  However, you are entitled to have the information rectified if that is not the case.  Unless there are grounds for extending the statutory deadline, we will respond within one month of receipt of a rectification request.

Please contact the Information Governance & Data Protection Officer (contact details below) should you wish to exercise this right.

Right to erasure (sometimes referred to as the right to be ‘forgotten’)

In some circumstances, you have a right to have information about you ‘erased’ and to prevent us using or holding information about you.  Please note that we do not have to comply with such a request where it is necessary to keep your information in order for us to perform tasks which are in the public interest (including public health) or for the purposes of establishing, making or defending legal claims.  If you make such a request and we comply with it, please be aware that we will retain a note of your name, the request made and the date we complied with it.

Please contact the Information Governance & Data Protection Officer (contact details below) should you wish to exercise this right.

Right to restrict processing

In some situations, you have a right to ‘block’ or suppress our holding or using information about you.  As with the right to erasure, please note that we do not have to comply with such a request where it is necessary to keep your information in order for us to perform tasks which are in the public interest (including public health) or for the purposes of establishing, making or defending legal claims. 

Please contact the Information Governance & Data Protection Officer (contact details below) should you wish to exercise this right.

Right to data portability

You have the right to obtain and re-use your personal data for your own purposes across different services, allowing you to move, copy or transfer personal data from one IT environment to another.  This right, however, only applies to personal data you have provided to us, where the processing is based on your consent or for the performance of a contract; and when the processing is carried out by automated means.

Please contact the Information Governance & Data Protection Officer (contact details below) should you wish to exercise this right.

Rights relating to automated decision making

You have the right not to be subject to a decision when it is based on automated processing (i.e. by a computer alone), and it produces a legal effect or a similarly significant effect on you.  As noted above, BMI Healthcare does not carry out automated decision-making in relation to staff.

Please contact the Information Governance & Data Protection Officer (contact details below) should you wish to exercise this right.

Right to withdraw consent

You have the right to withdraw consent to us holding or using information about you, but only if ‘consent’ is the basis for us holding or using your information.  Please contact the Information Governance & Data Protection Officer (contact details below) should you wish to exercise this right.

Right to object

You have the right to object to BMI Healthcare holding or using information about you in certain situations – where this is based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics. 

Please contact the Information Governance & Data Protection Officer (contact details below) should you wish to exercise this right.

Right to complain to the Information Commissioner’s Office

You can complain to the Information Commissioner’s Office (ICO) if you are unhappy with the way we have dealt with a request from you to exercise any of your rights or if you think we have not complied with our legal obligations.  Whilst you do not have to do so, we would appreciate you making the Information Governance & Data Protection Officer aware of the issue and giving us an opportunity to respond and to address it before contacting the ICO. 

Making a complaint will not affect any other legal rights or remedies that you have.  More information can be found on the ICO website: https://ico.org.uk/ and the Information Commissioner's Office can be contacted by post, phone, fax or email as follows:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 9 (if you prefer to use a national rate number)

Fax: 01625 524 510

Email: casework@ico.org.uk

Contacting BMI Healthcare and the Information Governance & Data Protection Officer

For further questions or to exercise any rights set out in this Privacy Notice, please contact BMI Healthcare's Information Governance & Data Protection Officer:

Information Governance & Data Protection Officer
BMI Healthcare Limited
BMI Healthcare House
3 Paris Garden
London
SE1 8ND

Email: dataprotectionofficer@bmihealthcare.co.uk.

*Privacy Notice for Staff v1 May 2018