The data we collect, process, hold, and share includes information about our staff - former, current, and temporary (interns, anyone seconded to us, or anyone on our payroll), and can also include personal information held in electronic, paper, or any other accessible format (documents, emails, forms, images, voice recordings, etc.).
This means we hold information about you in order to manage the employment relationship, including your name, your contact details, employment history and references, your CV/job application, any health & welfare information (for occupational health purposes), any equalities information you may have provided, payroll and pensions data, training requirements, letters and correspondence about your employment, and your absence and leave records.
Your name or some of these other details may also appear on Fire Service reports, lists, registers, papers, and systems when referring to your actions as an employee.
Why we collect and use information
The information we hold and process is to enable us to perform our function as a Fire & Rescue Service and, as your employer, manage our relationship with you effectively, lawfully, and appropriately whether it is during the recruitment process, while you are working for us, when your employment ends, or after you have left the organisation.
It enables us to comply with your Employment Contract (Statement of Particulars), and any associated Schemes of Conditions of Service and negotiated terms, Service policies, any legal requirements (such as employment law, health and safety law and taxation), and to pursue our legitimate interests.
We will try to process your personal data in line with your reasonable expectations, and ensure any processing is fair, lawful, and transparent, in line with data protection legislation.
More detailed examples of the reasons why we collect and use your data are:
- to recruit and promote (including vetting and law enforcement checks),
- to administer and provide terms and conditions of employment, payroll and pension services, benefits, and use of facilities, supporting Human Resources, Finance, Resource Planning and Learning & Development,
- to meet our statutory obligations e.g. employment law, tax and national insurance deductions, equalities monitoring, health and safety, and safeguarding reporting,
- to ensure you are fully trained and equipped to carry out your role,
- to manage your wellbeing (including health data) and security,
- to provide information about the workforce or individuals (e.g. occupational health reports) in order to take management decisions and ensure the efficient running of AF&RS,
- to make any external reports we are required to do, such as reporting to central Government or other authorities,
- to ensure Service policies are being adhered to and to support good governance,
- to ensure Business Continuity processes are effective.
The majority of the personal data we process about you will fall under the lawful processing conditions of the General Data Protection Regulation (GDPR) 2016:
6(1)(a) your consent, such as data that identifies you and your consent to use your personal mobile phone number and/or home address for a targeted SMS text messaging service, or for the provision and processing of equality monitoring information.
6 (1)(b) the performance of a contract, such as your Contract of Employment/Statement of Particulars or the steps needed to enter into a contract, to help us manage your employment and make sure both parties uphold their roles and the negotiated terms and Service policies.
6(1)(c) for compliance with a legal obligation (including common law and statutory obligations) that AF&RS is subject to, such as employment law, health and safety law, taxation, and other legislation we have to comply with as your employer.
6 (1)(d) to protect vital interests if we need to get you, or anyone, emergency medical attention.
6(1)(e) for the performance of a task carried out by the Service in the public interest, for the exercise of our official authority vested in us as set out by UK law, such as in order to carry our obligations under the Fire Services Act 2004 and other associated legislation. This covers the use of data for internal and external management reporting, financial modelling and planning, management of workforce data, and the development of better staff retention and recruitment policies.
Lawful processing for Special Categories (sensitive personal data)
The Data Protection Act 2018 also permits us to process special categories of data but, similar to the lawful processing of general personal data, this means we will only process special category data where we can both identify a lawful basis for general processing and at least one of the additional conditions needed for processing.
The most likely of these additional conditions are:
- if we have your explicit and written consent,
- if it is necessary for the purposes of preventative or occupational medicine, for assessing your working capacity,
- if it is necessary for statutory or government purposes and for equality of opportunity or treatment,
- for carrying out our obligations under employment law, social security or social protection,
- in order to establish, exercise or to defend our legal claim.
We may process your health and welfare information, and may share it externally with our Occupational Health provider and other medical practitioners, in order to support your health and welfare, monitor sickness absence, and ensure you are physically competent to fulfil your role.
There is some special category data we don’t collect, hold, or process - mainly any information relating to your political opinions, or your biometric and/or genetic data.
Most of the information we hold has been provided by you, with the rest generated by internal processes such as line management. We may in some cases also hold information from external sources, e.g. your references or the results of your security check.
Our IT Acceptable Use and related Service policies mean we may audit your IT activity and transactions for ICT infrastructure, network, and information security purposes, so we may hold the information in emails or documents you’ve written or saved.
Some of the following places are used to store information, subject to AF&RS existing Information Security controls and policies:
- Personal Records File (PRF),
- Firewatch (integrated HR, RPU and Learning & Development system),
- MOST (employee maintenance of skills),
- MyLo employee online training system (The Learning Pool Ltd),
- payroll system (administered by Bristol City Council),
- pension system (administered by Bath & North East Somerset Council),
- Occupational Health Service Providers electronic system (provided by IMASS),
- OSHENS (Wellworker HSW system),
- return to work and attendance records,
- Guide for Assessment (GFA) database (feedback booklet for operational internal promotions process),
- Personal Development Review system (ePDR),
- in house registers and spreadsheet trackers, for various processes such as long term sickness, long term modified and pregnancy/maternity cases, discipline and grievance cases, and register of discipline outcomes,
- CCTV, video, voice recordings, and photograph libraries,
- Outlook email system,
- dedicated drives within the IT network, and IT systems managed by departments that routinely process personal data,
- employee contact and staff operational data (Service Control),
- Everbridge Critical Communications System, for automated SMS text messaging service,
- AF&RS premises access control systems,
- Licence Check Ltd (DAVIS), for driving licence verification information and DVLA checks,
- Disclosure & Barring Service (DBS),
- Various Service approved IT platforms, such as Basecamp and social media sites such as Workplace, AF&RS facebook and twitter accounts.
Details of how long we keep information are in our Retention Schedule.
Who we share information with, and why
We will disclose your information to third parties if we are legally obliged to do so, if we need to comply with our contractual duties to you, or if that third party is providing a service on our behalf e.g. payroll provision.
If we have an agreement with a third party to process personal data on our behalf, they will have written instructions, be under a duty of confidentiality, and will be obliged to implement appropriate technical and organisational measures to ensure data security.
Some of the people we may share your data with are:
- payroll and pension providers,
- IT helpdesk provision,
- legal advisors on employment matters,
- DVLA and driving licence verification services,
- insurance providers,
- Her Majesty’s Revenue & Customs (HMRC) for tax purposes,
- Government Departments (normally statistical and anonymised),
- Equalities monitoring organisations (normally statistical and anonymised),
- Police & Fraud Officers, National Fraud agencies (under our legal duty to ensure the protection and detection of crime),
- statutory organisations (where we have a legal obligation to report certain events concerning employees, e.g. the Health & Safety Executive for RIDDOR adverse H&S events),
- partner agencies for public sector collaborative working arrangements, and to fulfil our duties to deliver a Service to the public when attending emergency incidents, preventative fire safety and public welfare work, and training (i.e. working with the Police, Ambulance, local councils and agencies, other Fire & Rescue Services and local community organisations),
- staff welfare providers,
- Trade unions or other representative bodies if you have told us you are a member,
- other providers of employee services, based on AF&RS duty to fulfil a public task or our legitimate business interests (i.e. providers of staff training, equipment and vehicles, workwear and PPE),
- organisations acting on your behalf, such as solicitors or mortgage companies asking for confirmation of employment and salary details (they must provide a letter of authority and any other necessary documents before we will release any of your personal data to them).
Civil Contingency planning
We may process your personal data for contingency planning purposes, but only when it is fair and reasonable so that we can perform our public task duties (as per GDPR 6e) as a Fire & Rescue Service, to fulfil our duties under the Civil Contingencies Act 2004, to support our partners, and for public health reasons in times of crisis (such as the COVID-19 national pandemic).
We will seek your consent and notify you when sharing your personal data with our partner agencies unless the law permits us to do so without notifying you.
There are exceptions, as with all legislation, which means you can exercise certain rights depending on what lawful basis we have to process your personal data.
If processing is only based on consent, you have the right to withdraw that consent at any time.
Your right to object to processing does not apply where processing takes place under a Contract of Employment, or where processing is carried out on the basis of a legal obligation (such as employment laws / tax laws, etc.). You also do not have the right to data erasure where we are processing your data under a legal obligation.
All requests to exercise your individual data rights will be reviewed on a case by case basis.
Further information about your rights and how to exercise them is on the staff intranet pages and the AF&RS website.
Last reviewed 30/04/2020