Note: all underlined text is hyperlinked
Step 1: Website Contact Details Form
Data Controller: Promedica Care Sp. z o.o.
Data Subject: Care Worker Applicant
Process Purpose 1: RECRUITMENT – For the purposes of recruitment
Process Purpose 2: MARKETING – For sending marketing content or telephone contact
Legal Basis 1: Consent
Retention Period 1: duration of consent
Legal Basis 2: Legitimate Interest
Retention Period 2: not stipulated
Data Sharing 1: “entities from the Promedica24 Group cooperating with our company”
Data Sharing 2: “entities … from outside the Promedica24 Group, providing IT, telecommunications, marketing and logistics services to us, which support us in our activities”
Categories of Personal Data: commencement / termination dates, employer/s name/s, employment history, names, notes biographical in nature, personal contact details, references
Comments:
- ‘Upload resume (optional)’ means we cannot be certain what personal data we are collecting, I’ve guessed some additional ones above.
- Links to ‘Terms & Conditions’ and ‘privacy policy’ do not show as links.
- The purpose of the ‘Terms & Conditions‘ link is not clear to me.
- Categories of personal data and process purposes held under legal basis of ‘consent’ and ‘legitimate interest’ should be separated out. We can only rely on one legal basis for each process purpose and it is hard to see how we can, or why we need, to rely on two legal bases here. What is different from holding the data subject’s contact details so we can make them a job offer and holding the same data so we can notify them of other vacancies: both can be either consent or legitimate interest.
- Retention period for ‘legitimate interest’ should be stated.
- Data sharing to the USA needs a different ‘appropriate safeguard’ following Schrems II.
Step 2: Application Form
Data Controller: Promedica24 UK Ltd
Data Subject: Care Worker Applicant
Process Purpose 1: RECRUITMENT – For the purposes of recruitment
Legal Basis: Consent
Retention Period: very confusing provisions
Categories of Personal Data: Commencement / termination dates, contractual requirements, criminal record checks / details, date of birth, employer/s name/s, employment history, health or medical data, ID documents, names, nationality, notes biographical in nature, payroll, tax and NICs information, personal contact details, references, right to work information, signature, working hours.
Comments:
- Form seeks consent to data processing whereas an applicant or employee cannot give a GDPR compliant consent. Legal basis should be ‘legitimate interest’.
- Form seeks consent for Promedica Care Sp. z o.o. to send marketing information whereas I cannot see why this is necessary and this entity is not the data controller.
- Form seeks consent for Promedica Care Sp. z o.o. to notify other vacancies: this is sensible and matches with the privacy notice for applicants, however, I think we could also do this under legitimate interest with an opt out.
- Form replicates privacy notice information whereas this should be kept in one place and linked on the application form.
- Existing privacy notice for Applicants should be amended and provided by web link / web address (in hard copy forms).
- Retention period information on the form is very confusing and also misconceived (i.e. there is no legal requirement for most of the personal data to be retained at all, with the exception of some payroll data which should not be gathered in this form anyway).
- Form collects ‘mother’s first name’, ‘father’s first name’, ‘date of birth’, ‘place of birth’, ‘mother’s maiden name’, ‘height’ and ‘weight’ whereas I cannot see any process purpose for these personal data and collecting them may conflict with the principle of minimisation.
- Form collects ‘citizenship’ whereas I do not know what this means. If it means country of origin, why do we need this on the application form? Do we have an occupational requirement for workers from a particular country? I doubt it. So this is probably getting ahead of the process for checking the applicant’s right to work, but we don’t need to do this unless and until we are going to offer them the job they are applying for, see principle of minimisation.
- Form collects ‘voivodeship’ which is not an English word as far as I am aware and should be deleted.
- Form collects ‘National Insurance Number’ and ‘date of registration’, we should use one field to collect each type of personal data. I am not sure what ‘data of registration’ means. We don’t need to collect National Insurance Numbers unless and until we employ the applicant, see minimisation principle.
- Form collects ‘Emergency Contact’ personal data of third parties. Again, we don’t need this unless we employ the applicant, see the minimisation principle.
- Form collects ‘Identity Documents’. Again, we don’t need this unless we employ the applicant, see the minimisation principle. Furthermore, we need to see copies of certain documents and record that we have checked them: this should be in a different form that is completed if and when an applicant is recruited. I am not at present sure why we need to know whether or not the applicant has lived in the UK for five years.
- Form requires applicant to confirm they have no criminal record whereas this is not a requirement of the position (i.e. a criminal record only ‘may’ mean they are not suitable).
Step 3: Health Assessment Form
Data Controller: Promedica24 UK Ltd
Data Subject: Care Worker Applicant
Process Purpose: HUMAN RESOURCES – To process personnel matters including appraisal, professional development, fitness for work, disciplinary, contract termination, promotion and pay review
Legal Basis: Unsure, suggest legitimate interest and GDPR article 9 (2) (b) exemption (i.e. ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’).
Retention Period: destruction when employment ends
Categories of Personal Data: health and medical data, names, signature
Comments:
- Personal data about disabilities and health should not be collected before a job offer is made to the applicant, see section 60 Equality Act 2010.
- Form asks about sickness days in the last year: what is our process purpose for this data?
- Form asks about smoking and number of cigarettes per day: what is our process purpose for this data?
- Form asks about alcohol and consumption: what is our process purpose for this data?
- Form asks for GP’s name and contact details: what is our process purpose for this data?
- Form includes tick boxes for lots of health conditions, whereas many of them overlap, some seem wholly irrelevant and the extent of these enquiries will need to be supported by process purposes. In other words: why do we need all of this and what are we going to do with it?
Step 4: Job Description Live-In Carer
Data Controller: Promedica24 UK Ltd
Data Subject: Care Worker Applicant
Process Purpose: HUMAN RESOURCES – To process personnel matters including appraisal, professional development, fitness for work, disciplinary, contract termination, promotion and pay review
Legal Basis: Unsure, suggest legitimate interest
Retention Period: Unsure, suggest duration of employment plus 6 years + 1 year buffer
Categories of Personal Data: names, signature
Comments:
None
Step 5: Staff Joining Form
Data Controller: Promedica24 UK Ltd
Data Subject: Care Worker Applicant
Process Purpose 1: HUMAN RESOURCES – To process personnel matters including appraisal, professional development, fitness for work, disciplinary, contract termination, promotion and pay review
Possible additional Process Purpose 2: PAYROLL – To administer pay, tax, NI and other deductions and allowances
Legal Basis 1: Unsure, suggest legitimate interest
Legal Basis 2: Contractual necessity
Retention Period 1: Unsure, suggest duration of employment plus 6 years + 1 year buffer
Retention Period 2: Duration of employment only
Categories of Personal Data: Commencement / termination dates, criminal record checks / details, financial information, health or medical data, names, payroll tax and NICs information, personal contact details, references
Comments:
- This seems to be a checklist document and also a form to collect bank details, emergency contacts and medical / health data. It will not apply to ‘applicants’ but to those who have been offered employment and who have accepted an offer.
- Bank details should be on a separate form with retention period up to termination only.
- Medical / health information should be on a separate form. Why duplicate this data? We should minimise the amount of medical/health data processed, so keep it on one form only.
Step 6: Permission to obtain references
Data Controller: Promedica24 UK Ltd
Data Subject: Care Worker Applicant
Process Purpose: HUMAN RESOURCES – To process personnel matters including appraisal, professional development, fitness for work, disciplinary, contract termination, promotion and pay review
Legal Basis: Unsure
Retention Period: Unsure
Categories of Personal Data: Name, signature
Comments:
- This seems to be a consent form whereas an employee cannot give a compliant GDPR consent. See ICO guidance here under the heading ‘When is consent inappropriate?’.
Step 7: HMRC Starter Checklist
Data Controller: Promedica24 UK Ltd
Data Subject: Care Worker Applicant
Process Purpose: PAYROLL – To administer pay, tax, NI and other deductions and allowances
Legal Basis: Suggest Legal requirement (i.e. Income Tax (PAYE) Regs 2003 or Finance Act 1998 (sch 18 para 21))
Retention Period: Suggest either 3 years as required by Income Tax (PAYE) Regs 2003 or 6 years as required by Finance Act 1998 (sch 18 para 21)
Categories of Personal Data: Commencement / termination date, date of birth, financial information, gender, names, payroll tax and NICs information, personal contact details, signature
Comments:
- No need to fill this out unless / until applicants accepts job offer.
Step 8: Image Release Form for internal use
Data Controller: Promedica24 UK Ltd
Data Subject: Care Worker Applicant
Process Purpose: HUMAN RESOURCES – To process personnel matters including appraisal, professional development, fitness for work, disciplinary, contract termination, promotion and pay review
Legal Basis: appears to be consent
Retention Period: Unsure
Categories of Personal Data: names, signature
Comments:
- This seems to be a consent form whereas an employee cannot give a compliant GDPR consent. The form attempts to gain consent without any right for the data subject to withdraw consent, which is not possible.
- This form includes some privacy notice information, which should all be kept in one place.