The personal data we collect, process, hold, and share include information about members of our staff - former, current, temporary contracts, interns, anyone seconded to us, or anyone on our payroll.
Personal data can be held in electronic, paper, or any other accessible format (documents, emails, forms, images, voice recordings, etc.).
This means we hold information about you to manage the employment relationship, including your name, your contact details, employment history and references, your CV/job application, any health & welfare information (for occupational health purposes), any equalities information you may have provided, payroll and pensions data, training requirements, letters and correspondence about your employment, and your absence and leave records.
Your name or some of these other details may also appear on Fire Service reports, lists, registers, papers, and systems when referring to your actions as an employee.
Why we collect and use this information
The information we collect, hold and process is to enable us to perform our function as a Fire & Rescue Service and, as your employer, manage our relationship with you effectively, lawfully, and appropriately whether it is during the recruitment process, while you are working for us, when your employment ends, or after you have left the organisation.
It enables us to comply with your Employment Contract (Statement of Particulars), any associated Schemes of Conditions of Service and negotiated terms, Service policies, any legal requirements (such as Employment Law, Health & Safety Law and Taxation), and to pursue our legitimate interests.
We will try to process your personal data in line with your reasonable expectations, and ensure any processing is fair, lawful, and transparent, and is in line with Data Protection legislation.
More detailed examples of the reasons why we collect and use your information are
- to recruit and promote (including vetting and law enforcement checks);
- to administer and provide terms and conditions of employment, payroll and pension services, staff benefits and other staff schemes, the use of our facilities, and supporting Human Resources, Finance, Resource Planning and Learning & Development functions;
- to meet our statutory obligations e.g., Employment Law, Tax and National Insurance deductions, equalities monitoring, Health, Safety & Welfare (HSW), staff fitness and safeguarding reporting;
- to ensure you are fully trained and equipped to carry out your role;
- to manage your wellbeing (including health data) and security;
- to provide information about the workforce or individuals (e.g., Occupational Health reports, and other employment processes) to make management decisions and ensure the efficient running of AF&RS;
- to make any external reports we are required to do, such as reporting to central Government or other Authorities,
- to ensure Service policies are being adhered to and to support good governance; and
- to ensure Business Continuity processes are effective.
To comply with the lawfulness of processing which is required under the UK General Data Protection Regulation (GDPR), we ensure any processing meets at least one of the following criteria:
- With your consent, such as data that identifies you and your consent to use your personal mobile phone number and/or home address for a targeted SMS text messaging service, or for the provision and processing of equality monitoring information.
- For the performance of a contract, such as your Contract of Employment/Statement of Particulars or the steps needed to enter a contract, to help us manage your employment and make sure both parties uphold their roles and the negotiated terms and Service policies.
- For compliance with a legal obligation (including common law and Statutory obligations) AF&RS is subject to, such as Employment Law, Health & Safety Law, Taxation, and other legislation we must comply with as your employer.
- To protect your vital interests if we need to get you emergency medical attention.
- For the performance of a task carried out by the Service in the public interest, for the exercise of our official authority vested in us as set out by UK law, such as to carry out our obligations under the Fire Services Act 2004 and other associated legislation. This covers the use of data for internal and external management reporting, financial modelling and planning, management of workforce data, the development of better staff retention, recruitment policies and insurance management.
- Where we or a third party may have a legitimate interest in the processing of your personal data (which does not fall under any of the other lawful processing conditions cited above). Where this is necessary, we will ensure your data rights are always considered. An example of this type of processing would be the collection of your vaccination information considering the recent COVID pandemic.
Special Categories (sensitive) personal data
Special Category personal data is afforded extra protection under the Data Protection legislation. When we process these types of data, there are additional criteria we need to meet. The main ones within GDPR which apply in an employment capacity are:
- when we have obtained your explicit and written consent;
- when it is necessary for carrying out our obligations under Employment Law;
- for protecting your vital interests in an emergency if you were incapable of providing your consent;
- when it is necessary for us to establish or defend a legal claim;
- when processing is necessary for reasons of substantial public interest, which includes the work we do as a Fire & Rescue Service; and
- when it is necessary to retain data for archiving, statistical and historical purposes in the public interest, however, where practical we will anonymise the data.
In addition to the above, when processing Special Category personal data, we ensure it also meets the conditions set out within the Data Protection Act 2018, which are similar to the above, there include:
- employment, health and research purposes;
- substantial public interest, such as for Statutory and Government purposes;
- equality and opportunity of treatment;
- preventing and detecting unlawful acts, protecting the public against dishonesty, and fraud;
- insurance; and
- occupational pensions.
We may process your health and welfare information and may share it externally with our occupational health provider and other medical practitioners, to support your health and welfare, monitor sickness absence, and ensure you are physically competent to fulfil your role.
There is some Special Category data we don’t collect, hold, or process - mainly any information relating to your political opinions, or your biometric and/or genetic data.
Most of the information we hold has been provided by you, with the rest generated by internal processes such as your line management. We may in some cases also hold information from external sources, e.g., your references or the results of your security check.
Our IT Acceptable Use Policy and other related Service policies mean we may audit your IT activity and transactions for ICT infrastructure, network, and information security purposes, so we may hold your information in emails or documents you’ve written or saved.
Some of the following places are used to store information, subject our existing Information Security controls and policies:
- Personal Records File (PRF)
- Firewatch (integrated HR, RPU and Learning & Development system)
- MOST (employee maintenance of skills)
- MyLo employee online training system (The Learning Pool Ltd) and other E-Learning platforms
- Payroll system (administered by Bristol City Council),
- Pension system (administered by Bath & North East Somerset Council),
- Occupational Health Service Provider’s electronic system (provided by Medigold)
- OSHENS (Wellworker HSW system)
- Return to work and attendance records
- Guide for Assessment (GFA) database (feedback booklet for operational internal promotions process)
- Personal Development Review system (ePDR)
- In house registers and spreadsheet trackers, for various processes such as long-term sickness, long term modified and pregnancy/maternity cases, discipline and grievance cases, and register of discipline outcomes
- CCTV, video, voice recordings, and photograph libraries
- Outlook email system
- Dedicated drives within the IT network, and IT systems managed by departments that routinely process personal data
- Employee contact and staff operational data (held by Service Control)
- Everbridge Critical Communications System, for automated SMS text messaging service
- AF&RS premises access control systems
- Licence Check Ltd (DAVIS), for driving licence verification information and DVLA checks
- Disclosure & Barring Service (DBS)
- Various Service approved IT platforms, such as staff internet, AF&RS main website, Microsoft Teams, Basecamp and social media sites such as Workplace, Yammer, AF&RS Facebook and Twitter accounts
Details of how long we keep information are in our Retention Schedule.
Who we share information with, and why?
We will disclose your information to third parties if we are legally obliged to do so, or if we need to comply with our contractual duties to you, or if that third party is providing a service on our behalf e.g., payroll provision.
If we have an agreement with a third party to process personal data on our behalf, they will have written instructions, be under a duty of confidentiality, and will be obliged to implement appropriate technical and organisational measures to ensure data security.
Some of the organisations we may share your data:
- Payroll and pension providers
- Providers of staff benefit schemes
- IT helpdesk provision
- Legal advisors on employment matters
- DVLA and driving licence verification services
- Insurance providers
- Her Majesty’s Revenue & Customs (HMRC) for tax purposes
- Government Departments (normally statistical and anonymised)
- Equalities monitoring organisations (normally statistical and anonymised)
- Avon & Somerset Constabulary / Police & Crime Commissioner within their capacity as landlord for our staff sited at HQ
- Police & Fraud Officers, National Fraud agencies (under our legal duty to ensure the protection and detection of crime)
- Statutory organisations (where we have a legal obligation to report certain events concerning employees, e.g., the Health & Safety Executive for RIDDOR adverse H&S events),
- Partner agencies for public sector collaborative working arrangements, and to fulfil our duties to deliver a Service to the public when attending emergency incidents, preventative fire safety and public welfare work, and training (i.e., working with the Police, Ambulance, local councils and agencies, other Fire & Rescue Services and local community organisations)
- Staff welfare providers
- Trade unions or other representative bodies if you have told us, you are a member
- Other providers of employee services, based on AF&RS duty to fulfil a public task or our legitimate business interests (i.e., providers of staff training, equipment and vehicles, workwear and PPE)
- Organisations acting on your behalf, such as solicitors or mortgage companies asking for confirmation of employment and salary details (they must provide a letter of authority and any other necessary documents before we will release any of your personal data to them).
Civil Contingency planning
We may process your personal data for contingency planning purposes, but only when it is fair and reasonable so that we can perform our public task duties as a Fire & Rescue Service, to fulfil our duties under the Civil Contingencies Act 2004, to support our partners, and for public health reasons in times of crisis (such as the COVID-19 national pandemic).
We will seek your consent and notify you when sharing your personal data with our partner agencies unless the law permits us to do so without notifying you.
Your Data Rights
There are exceptions, as with all legislation, which means you can exercise certain rights under the Data Protection legislation depending on what lawful basis we must process your personal data.
If processing is only based on your consent, you have the right to withdraw that consent at any time.
Your right to object to processing does not apply where processing takes place under a Contract of Employment, or where processing is carried out based on a legal obligation (such as Employment Laws / Tax Laws, etc.). You also do not have the right to data erasure where we are processing your data under a legal obligation.
All requests to exercise your individual data rights will be reviewed on a case-by-case basis.
Further information about your rights and how to exercise them is on the Staff Intranet pages and the AF&RS website.
Last reviewed 10/08/2021