How the Cabinet Office handles HR and finance personal … – GOV.UK

We use some essential cookies to make this website work.
We’d like to set additional cookies to understand how you use GOV.UK, remember your settings and improve government services.
We also use cookies set by other sites to help us deliver content from their services.
You can change your cookie settings at any time.
Departments, agencies and public bodies
News stories, speeches, letters and notices
Detailed guidance, regulations and rules
Reports, analysis and official statistics
Consultations and strategy
Data, Freedom of Information releases and corporate reports
Updated 19 January 2023

© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/how-the-cabinet-office-handles-hr-and-finance-personal-information/how-the-cabinet-office-handles-hr-and-finance-personal-information-html
Cabinet Office is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This privacy notice describes how we collect and use personal information about you before, during and after your working relationship with us, in accordance with data protection law, including the General Data Protection Regulation (GDPR).
This notice covers all Cabinet Office business units and any arm’s length bodies that rely on the department for their staffing needs. It does not apply to the Crown Commercial Service or the Government Digital Service who have their own notices.
It applies to all prospective employees, employees, ex-employees and workers. This notice does not apply to contractors who are subject to individual/commercial contracts.
This notice does not form part of any contract of employment or other contract to provide services. This notice can be updated at any time and we will inform you if this occurs.
Please read this Privacy Notice along with any other relevant Privacy Notices on our Personal Information Charter.
To recruit employees, workers, including selection, proving your identity, checking you have the right to work, and vetting you.
To manage the employment relationship, including contacting you, carrying out appraisals, maintaining business continuity, management planning and reporting, managing talent and succession planning, maintaining your employment records, dealing with grievances and performance issues, and investigating breaches of contract such as leaks, and seeking your feedback on management issues.
To perform the terms of the employment contract, including paying you, providing a pension, offering you employee benefits, and providing you with training and development opportunities.
To allow other staff to contact you in your business role, and to allow people outside the department to contact you in your business role.
To carry of equality of opportunity monitoring on our recruitment process and in relation to  staff.
To compile departmental statistics, research and analysis, to contribute to civil service statistics for improvement of the service and efficiencies.
To bring or defend legal proceedings related to your employment, or to respond to orders from a court or tribunal.
To meet our legal duties under the Freedom of Information Act 2000, Environmental Information Regulations 2004, and the General Data Protection Regulation, and to cooperate with public inquiries.
To meet our duties under the Public Records Act 1958 to select and preserve records of historic value.
To assist regulators or law enforcement agencies where it is necessary for the purposes of the prevention, investigation, detection or prosecution of criminal offences.
Personal data means any information that relates to an identifiable living individual. It does not include anonymous data.
There are “special categories” of more sensitive personal data which require a higher level of protection. We collect, store, and use the following categories of personal information about you:
Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
Copy of driving licence, passport, birth and marriage certificates, decree absolute, proof of current address, such as bank statement, council tax bill etc.
Evidence of how you meet the Civil Service nationality rules and confirmation of your security clearance. This can include passport details, nationality details and information about convictions/allegations of criminal behaviour
Evidence of your right to work in the UK/immigration status
Diversity monitoring information: information about your race or ethnicity, religious beliefs, sexual orientation
Information on your socio-economic background including information about your parents’ highest qualifications and main job, which we use as indicators of your socio-economic background
Information about criminal convictions/allegations and offences as part of Baseline Personnel Security Standard checks.
Evidence of how you meet the requirements of the job including CVs and references etc.
email address and telephone number
Dates of birth, marriage and divorce
Gender
Marital status and dependants
Next of kin, emergency contact and death benefit nominee(s) information
National Insurance number
Bank account details, payroll records and tax status information
Salary, annual leave, pension and benefits information (including state and occupational pension retirement age, and current/previous pension scheme details)
Wage related information including allowances, overtime payments, bonuses and miscellaneous payments
Start date and leaving date
Location of employment or workplace
Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
Full employment records for Civil Service employment (including contract, terms and conditions, grade, job titles, employee number, work history, working hours, promotion, absences, attendances, training records and professional memberships)
Compensation history
Performance and appraisal information
Talent information including talent biographies
Appraisal information, including 360-degree feedback
Talent scheme membership
Coaching and mentor status
Reservist status
Information on you, your partner and your child required to operate the shared parental leave scheme
Disciplinary, investigation, whistleblowing and grievance information
Secondary employment and volunteering information, including information on staff who volunteer with HR improvement initiatives
Information on corporate role you hold within the organisation
Information on learning and development, training, and professional development undertaken
Trade union membership
Information about your health, including any medical condition, health and sickness records
Information about business travel
We typically collect personal information about prospective employees, employees, and workers through the application and recruitment process, either directly from candidates or sometimes from a third party such as an employment agency or background check provider.
These third parties include:
Former employers
Credit reference agencies
Disclosure and Barring Service (DBS)
Other background check agencies
Other Government Departments
Pensions administrators
Medical and occupational health professionals
Professionals who advise the department generally and/or in relation to any grievance, conduct appraisal or performance review procedure
Recruitment agencies where workers are procured
It is necessary in order to take steps at your request prior to entering into a contract. This concerns receiving your application for employment or pre-employment checks.
It is necessary to comply with a legal obligation placed on us; this is checking you are legally entitled to work in the UK.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case that is carrying out National Security vetting for required roles, or equality of opportunity monitoring.
It is necessary for the performance of a contract to which you are a party, which in this case is your employment contract. This concerns:
Paying you and, if you are an employee, deducting tax and National Insurance contributions
Providing employment-related benefits to you including:
Occupational Sick, Adoption, Maternity, Paternity, Shared Parental and Annual leave and pay (including payslips)
Pension
Advances of salary
Season ticket loans
Childcare vouchers
Reward vouchers and bonuses
Liaising with your pension provider, providing information about changes to your employment such as promotions, changing in working hours
General administration of the contract we have entered into with you, including the monitoring of office attendance
Conducting performance and talent reviews, managing performance and determining performance requirements managing sickness absence
Making decisions about salary reviews and compensation
Managing your carers passport
Managing any trade union role you have
Assessing qualifications for a particular job or task, including decisions about promotions
Gathering evidence and any other steps relating to possible grievance, investigations, leaks, whistleblowing or disciplinary matters and associated hearings
Making decisions about your continued employment or engagement
Making arrangements for the termination of our working relationship
Providing you with education, training and development requirements
Managing your membership of your Civil Service profession or function
Processing bank cards and ePurchasing Card Solution (ePCS) applications
Corporate credit card management
Stationery order processing
Processing taxi bookings, business travels and hotel accommodation
To provide you with access to employee benefits
To operate the Cycle to Work Scheme
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. This concerns providing information to enable overall management of the Civil Service, monitoring equality of opportunity in line with our Public Sector Equality Duty, transparency duties, co-operating with public inquiries, and to prevent fraud.
It is necessary to comply with a legal obligation placed on us as the data controller. This concerns providing tax and salary information to HMRC, and dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work. It also concerns preserving historic records, and responding to statutory requests under the freedom of information, environmental information and data protection legislation. It also relates to responding to orders of a court or tribunal (e.g. for disclosure of documents).
Where we need access to medical records or occupational health reports, or where you ask for specific pension rights to be enabled (such as health data and ill health retirement rights), then our legal basis for processing this data is your consent. We will ask for your explicit consent at the time.
Where you ask us to set up workplace giving to a charity, we will do so with your consent.
If you are managed via an online HR platform, it is possible to add a photograph if you choose. Where you do so, our legal basis for processing that data is your consent.
If we seek your feedback on Shared Services or SOP through our survey provider, we rely on your consent to process any personal data.
It is necessary for the performance of a contract to which you are a party. This concerns continuing obligations to pay pensions and death benefit, and processing exits from the organisation including redundancy and ill health retirement.
Where your personal data is passed to the National Archives to form part of the historic record. Your personal data will be protected from disclosure. This also concerns responding to statutory requests under the freedom of information, environmental information and data protection legislation, but only where doing so would not breach your rights under data protection legislation. It also relates to responding to orders of a court or tribunal (e.g. for disclosure of documents).
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. This concerns co-operating with public inquiries.
Special Category data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
This concerns information about criminal convictions/allegations and offences to conduct baseline security clearance checks.
This concerns diversity monitoring of applicants
This also concerns:
Information relating to leaves of absence; this can include sickness absence or family related leave, to comply with employment and other laws
Trade union membership information to pay trade union premiums, register the status of a protected employee and to comply with employment law obligations
Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards
Where it is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people. This is why we collect information about your race or national or ethnic origin, religious beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting
Where it is necessary for reasons of substantial public interest for the exercise of our functions. This concerns information about criminal convictions/allegations that disclose to us.
Where it is necessary for the establishment, exercise or defence of legal claims, for example to deal with employment tribunal cases
In relation to occupational health or medical data such as the eye test scheme.
This relates to complying with legal obligations, or responding to orders of a court or tribunal (e.g. for disclosure of documents).
We will share your business contact details with other employees, and business contact information may be shared with persons who are not employees where there is a business need to do so.
We will in some circumstances have to share your data with third parties. “Third parties” includes third-party service providers (including contractors and designated agents) and other entities within the Civil Service.
We will share as appropriate your data with the following third parties:
The Office for National Statistics, mainly for statistical purposes
The Government Internal Audit Agency, for audit purposes
The Government Legal Department, where we need to seek legal advice
Other government departments, for management of Civil Service Professions and Functions
Other organisations, where an employee transfers or undergoes a secondment to that organisation
HMRC in carrying out their security cluster duties on our behalf e.g. vetting
Public inquiries, where it is necessary for the carrying out of the inquiry
IT infrastructure providers
Payroll (Shared Service Connected Ltd) provider
Our survey supplier for staff feedback on SOP or Shared Services
Pensions administration (My CSP)
Employee benefits provider (Edenred)
Overseas Healthcare insurance (Foreign & Commonwealth Office, and their data processor Healix)
Recruitment administration platform providers
Occupational Health provider (People Asset Management (previously OH Assist)
Workplace Adjustment provider (Civil Service Workplace Adjustments Team)
HR casework providers (MoJ Casework)
Providers of taxi, travel and accommodation services
Where we have statutory duties in respect of compliance, complaints and investigation (Civil Service Commission), advice under the Business Appointment Rules (Advisory Committee on Business Appointments), and casework in compliance with the Government Code for Public Appointments (Office of the Commissioner for Public Appointments)
Fast Stream HR Self Service platform providers
Offsite paper document storage (TNT)
Consideration of in-year bonus payments (In-Year Bonus Panel)
Talent Teams in other government departments for the purposes of talent management
Talent and development programme providers (varies)
360-degree feedback provider
Workplace giving provider (Charities Trust)
Cycle to Work partner (Cycle Solutions)
Parliament where it is necessary to obtain for you a Parliamentary pass, or where we are required to provide information to a committee of either House
a regulator or law enforcement agency where it is necessary for the purposes of the prevention, investigation, detection or prosecution of criminal offences
A third party who makes a statutory freedom of information, environmental information or data protection request, where the release of such data does not breach your rights under data protection law
We share non-identifying information about pay, job roles and grading with contracted external market pay providers to enable us to benchmark pay rates.
We will also share data with Civil Service Human Resources (part of the Cabinet Office) in relation to overall management of the Civil Service. Please see our Personal Information Charter for more details.
As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, the use of Model Contract Clauses, or another appropriate safeguard.
Some of your personal data may be processed offshore by our services provider, Shared Services Connected Limited (SSCL). SSCL use Centres of Excellence in the UK and in India to manage our back-office services. Your personal data receives the same level of protection when processed offshore as it does onshore. This protection is delivered by the use of Model Contract Clauses. More information on the offshoring process can be found on the Cabinet Office Intranet.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Details of retention periods for different aspects of your personal information are available in our retention policy. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you.
Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with our data retention policy.
Under certain circumstances, by law you have the right to:
Request access to your personal information (commonly known as a “subject access request an electronic copy of any data you have provided in a structured, commonly used and machine-readable format.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below)
Object to processing of your personal information where we are relying on the legal basis that we are carrying out our public task (see ‘legal bases’ above).
You also have the right to object where we are processing your personal information for direct marketing purposes (although we do not use it for that purpose)
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact: dpo@cabinetoffice.gov.uk.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we are allowed under the law to charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we can refuse to comply with the request in such circumstances.
We sometimes need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information. If you have any concerns about how your personal data has been handled, please contact the DPO.
The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk.
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office,

Wycliffe House,

Water Lane, Wilmslow,

Cheshire,

SK9 5AF

or 0303 123 1113,
or casework@ico.org.uk.
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
The data controller for your personal data is the Cabinet Office.
If you have any questions about this privacy notice, please contact Cabinet Office at:
dpo@cabinetoffice.gov.uk.
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We will also notify you in other ways from time to time about the processing of your personal information.
Don’t include personal or financial information like your National Insurance number or credit card details.
To help us improve GOV.UK, we’d like to know more about your visit today. We’ll send you a link to a feedback form. It will take only 2 minutes to fill in. Don’t worry we won’t send you spam or share your email address with anyone.

source

Leave a Comment