Data protection privacy notice (employment)

This notice explains what personal data (information) we hold about you, how we collect it, and how we use and may share information about you during your employment and after it ends. We are required to notify you of this information under data protection legislation. Please ensure that you read this notice (sometimes referred to as a ‘privacy notice’) and any other similar notice we may provide to you from time to time when we collect or process personal information about you.

Who collects the information

Heartbeat Primary Care CIC (‘Company’) is a ‘data controller’ and gathers and uses certain information about you.This information is also used by our affiliated entities and group companies.

Data protection principles

We will comply with the data protection principles when gathering and using personal information, as set out in our GDPR combined policies and procedures.

What information

We may collect the following information during your employment:

  • Your name, contact details (ie address, home and mobile phone numbers, email address) and emergency contacts (ie name, relationship and home and mobile phone numbers);
  • Information collected during the recruitment process that we retain during your employment;
  • Employment contract information;
  • Details of salary and benefits, bank/building society, National Insurance and tax information, your age;
  • Details of your spouse/partner and any dependants;
  • Your nationality and immigration status and information from related documents, such as your passport or other identification and immigration information;
  • A copy of your driving licence;
  • Details of your pension arrangements, and all information included in these and necessary to implement and administer them;
  • Information in your sickness and absence records (including sensitive personal information regarding your physical and/or mental health);
  • Your racial or ethnic origin, sex and sexual orientation, religious or similar beliefs;
  • Criminal records information, including the results of Disclosure and Barring Service (DBS) checks;
  • Information on grievances raised by or involving you;
  • Information on conduct and/or other disciplinary issues involving you;
  • Details of your appraisals and performance reviews;
  • Details of your performance management/improvement plans (if any);
  • Details of your time and attendance records;
  • Information regarding your work output;
  • Information in applications you make for other positions within our organisation;
  • Information about your use of our IT, communication and other systems, and other monitoring information;
  • Your image, in photographic form;
  • Details of your use of business-related social media, such as LinkedIn;
  • Your use of public social media (only in very limited circumstances, to check specific risks for specific functions within our organisation; you will be notified separately if this is to occur); and
  • Details in references about you that we give to others.

Certain of the categories above may not apply to you if you are an independent contractor, freelancer, volunteer, intern.

How we collect the information

We may collect this information from you, your personnel records, the Home Office, pension administrators, your doctors, from medical and occupational health professionals we engage and from our insurance benefit administrators, the DBS, trade union, other employees, consultants and other professionals we may engage, eg to advise us generally and/or in relation to any grievance, conduct appraisal or performance review procedure, Systems used are: communications systems, remote access systems, trading platforms, email and instant messaging systems, intranet and Internet facilities, telephones, voicemail, mobile phone records.

Why we collect the information and how we use it

We will typically collect and use this information for the following purposes (other purposes that may also apply are explained in our GDPR combined policies and procedures):

  • for the performance of a contract with you, or to take steps to enter into a contract;
  • for compliance with a legal obligation (eg our obligations to you as your employer under employment protection and health safety legislation, and under statutory codes of practice, such as those issued by Acas);
  • for the purposes of our legitimate interests or those of a third party (such as a benefits provider), but only if these are not overridden by your interests, rights or freedoms;
  • because it is necessary for carrying out obligations or exercising rights in employment law; and
  • for reasons of substantial public interest (equality of opportunity and regulatory requirements).

Further information on the monitoring we undertake in the workplace and how we do this is available in our GDPR combined policies and procedures, available from on the Heartbeat website,

We seek to ensure that our information collection and processing is always proportionate. We will notify you of any material changes to information we collect or to the purposes for which we collect and process it.

How we may share the information

We may also need to share some of the above categories of personal information with other parties, such as external contractors and our professional advisers and with potential purchasers of some or all of our business or on a re-structuring. Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations. We may also be required to share some personal information with our regulators or as required to comply with the law.