Privacy Notice

In order to comply with its contractual, statutory, and management obligations and responsibilities, the County Council is required to process personal data and special category data relating to its job applicants and staff (including agency worker, casual worker, contractors, interns, volunteers, apprentices, and seconded employees). All such data will be processed in accordance with the provisions of the UK GDPR and associated Data Protection Legislation and the County Council Policy on Data Protection. (See the current Data Protection Policy.) 

If you are an employee of a partner organisation, please refer to that partner organisation’s Privacy Notice.

The County Council will only process an employee’s personal data where it has a lawful basis to do so. For example, where processing is necessary for the purposes for the performance of a contract (i.e. the employment contract) and in relation to special category data, processing is necessary for the purposes of carrying out obligations in the field of employment. Further information on what data is collected and the purposes for which it is processed is given below. This list is not exhaustive, and if another purpose is identified all processing undertaken will comply with the UK GDPR principles and include any tests required.

Contractual responsibilities

The County Council’s contractual responsibilities include those arising from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to: recruitment;  payroll; bank account; postal address; sick pay; leave; maternity pay; DBS checks; training and supervision records; pension; and emergency contacts.

The personal data of the member of staff’s emergency contact is processed on the basis of legitimate interests.

Statutory responsibilities

The County Council’s statutory responsibilities are those imposed on the County Council by legislation. The data processed to meet statutory responsibilities includes, but is not limited to, data relating to: tax; national insurance; statutory sick pay; statutory maternity pay; family leave; DBS checks; work permits; and equal opportunities monitoring.

Management responsibilities

The County Council’s management responsibilities are those necessary for the organisational functioning of the County Council and the performance of the tasks that are carried out in the public interest. The data processed to meet management responsibilities includes, but is not limited to, data relating to: recruitment and employment; training and development; organisational planning and service delivery forecasting; research; absence; disciplinary matters; health and safety; security, including County Council-operated camera systems; IT systems; e-mail address and telephone number; swipe cards; criminal offence data; and emails and other information held on County Council systems.

Where we have issued a device or equipment the County Council may activate location data or track IP addresses. The County Council tracks devices and IP addresses to keep our systems safe and secure.

Special Category data 

Where relevant, the County Council to collect and process special category data. For example:

  • The County Council will process data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, and to make any necessary arrangements or adjustments to the workplace in the case of disability. Referrals to Occupational Health will take place with the employee’s knowledge and consent
  •  The County Council will process data about an employee’s racial and ethnic origin, their sexual orientation or their religious beliefs only where they have volunteered such data and only for the purpose of monitoring and upholding the County Council's equal opportunities policies and related provisions
  •  Criminal offence data about employees will only be collected where necessary for specific purposes

Disclosure of personal data to other bodies

In order to perform its contractual and management responsibilities, the County Council may, from time to time, need to share an employee’s personal data with other organisations, professional or governing bodies, or organisations where an employee has been or will be seconded. In such cases the bodies concerned will be required to process the personal data in accordance with Data Protection Legislation.

For the performance of the employment contract, the County Council is required to disclose an employee’s personal data to third parties, for example, to pension providers and HM Revenue & Customs.

In order to fulfil its statutory responsibilities, the County Council is required to provide some of an employee’s personal data to government departments or agencies e.g. provision of salary and tax data to HM Revenue & Customs.

The National Fraud Initiative (NFI) is an exercise that takes place every two years to match electronic data within and between public sector bodies to prevent and detect fraud. We have a legal obligation to take part in this exercise, alongside police authorities, local probation boards, fire and rescue authorities, and other local councils.

If you are asked to become a Purchase card (P card) holder, the County Council will need to share your work email address with the card provider.

In order to maintain its HR and day-to-day business records, employee data will be processed by relevant third parties under contract (for example: SAP, Microsoft). 

Keeping information secure

The County Council operates a range of policies, procedures, and governance arrangements to ensure that the personal information held on staff is collected, held, and used securely. This includes using a third party security monitoring service to fulfil our responsibility to ensure the security of our IT systems. In certain circumstances information may be held outside the UK and the EEA. In these circumstances the County Council provides appropriate safeguards to protect personal data.

Keeping personal data up to date

The Data Protection Legislation requires the County Council to take reasonable steps to ensure that any personal data it processes is accurate and up to date. It is the responsibility of the individual employee to inform the County Council of any changes to the personal data that they have supplied to it during the course of their employment (for example, a change of address or other contact details).


The County Council holds personal data in accordance with the relevant Retention Schedules. In relation to personnel records, these are held for 7 years after the end of employment, except in the case of staff working with Children or Vulnerable Adults, where they will be retained for 35 years after the end of employment or 75 years from date of birth. Unsuccessful candidates’ information will be held for one year from the end of the recruitment process.

Data Protection Officer

For more information about your rights in relation to your personal data, please see the County Council’s general Privacy Notice.

Further information

The above information is the specific privacy notice for this service. For more information about your rights in relation to your personal data, see the County Council’s general privacy notice.

You have some legal rights in respect of the personal information we collect from you. See our Data Protection page for further details.

You can contact the County Council’s Data Protection Officer by email [email protected].

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office.