You are Here : Residents  >  Jobs  >  Join the Team  >  Individual Privacy
Wednesday , November , 29 2023
| Language and Accessibility

Individual (non-employee) Privacy Notice 

Carlisle City Council (“the Council”) are a "data controller".

The Council collects and processes personal data relating to its casual workers, agency workers, contractors, volunteers and work experience students (known within this policy as ‘individuals’) to manage the agreement. The Council is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

The General Data Protection Regulation (GDPR) and Data Protection Act 2018, sets out the data protection legislation that all data controllers must adhere to. Under the GDPR, there are six data protection principles that the Council must comply with as a data controller. These principles provide that the personal data we hold must be:

  1.  Processed in a lawful, fair and transparent manner.
  2. Collected only for specified, explicit and legitimate purposes and not processed further in a way that is incompatible with those purposes.
  3. Adequate, relevant and limited to what is necessary in relation to those purposes.
  4. Accurate and kept up to date where necessary.
  5. Kept in a form makes it possible to identify individuals for no longer than is necessary.
  6. Processed in a way that ensures appropriate security of the data.

The council is responsible for complying with these principles and must be able to demonstrate compliance.

The Council will collect personal data about all individuals. Personal data is any information about an individual can be used to directly or indirectly identify the individual. This excludes anonymised data. Some forms of personal data require a higher level of protection because of its sensitive nature. This includes personal data of criminal convictions and offences, and ‘special categories’ of personal data, such as an individual’s racial or ethnic origin, political opinions, religious or philosophical information beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data. 
The Council collects and processes a range of information about you. This may include:

  • your name, address and contact details, including email address and telephone number, date of birth and gender;
  • details of your working conditions;
  • details of your qualifications, skills, experience and engagement history, including start and end dates, with previous employers and with the Council;
  • information about your remuneration, including entitlement to benefits such as insurance cover;
  • details of your bank account, national insurance and tax number;
  • information about your marital status, next of kin, dependants and emergency contacts; ➢
  • information about your nationality and entitlement to work in the UK;
  • information about your criminal record, where appropriate;
  • details of your schedule (days of work and working hours) and attendance at work;
  • details of periods of leave taken by you, including holiday, sickness absence, family leave and the reasons for the leave;
  • details of any investigations and witness statements made in which you have been involved;
  • assessments of your performance, including training you have participated in and related correspondence;
  • information about medical or health conditions and Occupational Health reports, including whether or not you have a disability for which the Council may need to make reasonable adjustments;
  • photographic identification for security, identification and internal purposes, including promotions where clear visual signage has been present to raise awareness of attendees;
  • information pertaining to personal circumstances, including disabilities; 
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief;
  • assessment reports relating to further education and development;
  • copies of qualification certificates gained, attendance of courses and evaluation records;
  • copies of projects, research and associated development activities;
  • copies of attendance at wellbeing events including participation records of wellbeing activities; and HR, Organisational Development and Personnel & Payroll Individual privacy notice (compliant with the GDPR) (for those that do not have access to the intranet and E learning) Policy, Guidance Notes and Procedures/ June 2018/ Version 1.0/PersonnelDevelopment K drive/Personnel Documents/ Policies, Procedures & Guidance. 9 
  • Health and safety related documents: risk assessments, accident reports and claims, safety audits, stress audits, Displays Information and Posters containing names of specifically trained individuals for First Aid and Fire legislative compliance.

The Council collects this information in a variety of ways. For example, data is collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during work; from correspondence with you; or through interviews, meetings or other assessments and CCTV.

In some cases, the Council collects personal data about you from third parties, such as references supplied by former employers, information from engagement background check providers, information from credit reference agencies and information from criminal records checks permitted by law.

Personal data will be collected throughout the term of your engagement with us and may include in the course of work-related activities. Although some of the personal data that you are asked to provide is a statutory or contractual requirement, some data may be requested on a voluntary basis. You will be informed whether the requested information is mandatory or voluntary.

Data is stored in a range of different places, including in your personnel file, in the Council's HR management systems and in other IT systems (including the Council's email system)

The Council needs to process your personal data to meet its obligations under your contract of engagement. For example, it needs to process your data to pay you accordingly and to administer, for example insurance entitlements.

In some cases, the Council needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an individual’s entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable individuals to take periods of leave to which they are entitled. For certain positions, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake the work in question.

In other cases, the Council has a legitimate interest in processing personal data before, during and after the end of the term of engagement. We may also occasionally use your personal data where we need to protect the vital interests of you or someone else.

Processing an individual’s data allows the Council to

  • operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that individuals are receiving the pay or other benefits to which they are entitled;
  • obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that individuals are receiving the pay or other benefits to which they are entitled;
  • operate and keep a record of other types of leave to allow effective workforce management, to ensure that the Council complies with duties in relation to leave entitlement, and to ensure that individuals are receiving the pay or other benefits to which they are entitled;
  • ensure effective general HR and business administration; ➢ provide references on request for current or former individuals; ➢ respond to and defend against legal claims;
  • to ensure you are paid correctly, including ensuring compliance with statutory deductions; ➢ to provide statistical and any other relevant information to Government and nonGovernment bodies;
  • to process and respond to information requests under the Freedom of Information Act 2000 and the Environmental Information Regulations – in accordance with Data Protection Law;
  • to communicate information to you; ➢ maintain and promote equality in the workplace; ➢ comply with the duty to make reasonable adjustments for disabled staff and workers and with other disability discrimination obligations
  • operate and keep a record of development activity to ensure compliance with health and safety requirements, ensure a skilled workforce exists, defence against legal claims, audit for transparency of budget spend; and ➢ operate and maintain a record relating to wellbeing initiatives to ensure health and safety requirements, audit of budget allocation, defence against legal claims.

Where the Council relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of individuals and has concluded that they are not.

Some special categories of personal data, such as information about health or medical conditions, is processed to carry out legal obligations (such as those in relation to individuals with disabilities and for health and safety purposes).

Where the Council processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that the Council uses for these purposes is anonymised and is collected with the expressed consent of individuals, which can be withdrawn at any time. The relevant form can be found at Appendix 3 and individuals are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.

HR, Organisational Development and Personnel & Payroll Individual privacy notice (compliant with the GDPR) (for those that do not have access to the intranet and E learning) Policy, Guidance Notes and Procedures/ June 2018/ Version 1.0/PersonnelDevelopment K drive/Personnel Documents/ Policies, Procedures & Guidance. 11

Where the Council processes photographic publishing of personal data for internal publishing at promotional events, such as Wellbeing, where signage has been clearly visual to raise awareness for any attendees to raise concerns at each event, individuals are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so. The relevant form can be found at Appendix 4 and individuals are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.

Your personal data will only be used for the purposes for which it was collected. If your personal data is required for any purpose other than the purpose it was collected for, you will be provided with information about the new purpose, the legal basis for processing your personal data and any other relevant information. We may also issue a new privacy notice.

Our information will be shared internally, including with members of the HR, OD, H&S, and recruitment team (including payroll), your hiring manager, managers in the business area in which you work or those managers dealing with issues relating to yourself, and IT staff if access to the data is necessary for performance of their roles.

The Council shares your data with third parties in order to obtain references from other employers, obtain background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. In these circumstances the data will be subject to confidentiality arrangements.

The Council also shares your data with third parties that process data on its behalf in connection with payroll, such as HMRC, for the provision of benefits, such as training and development, the provision of occupational health services and bodies such as the Health & Safety Executive.  

We will only share your information with partners or suppliers who have sufficient measures and procedures in place to protect your information and can meet their legal obligations under data protection legislation. These requirements will be set out in contracts or information sharing agreements.

We will not share your information for marketing purposes, unless you have specifically given us permission to do so.

The Council will not transfer your data to countries outside the European Economic Area. 

The Council takes the security of your data seriously. The Council has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, altered, misused or disclosed, and is not accessed except by its individuals in the performance of their duties. Our measures include implementing appropriate access controls, investing in the latest Information Security Capabilities to protect the IT environments we leverage, and ensuring we encrypt, pseudonymise and anonymise personal data wherever possible.

The Council has procedures in place to deal with any actual or suspected data security breach and will notify you and the Information Commissioner’s Officer of the breach where we are legally required to do so.

Where the Council engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

The Council will hold your personal data compliant with legal retention periods or, if applicable, the duration of your engagement. The periods for which your data is held after the end of engagement will be compliant with legal relevant retention periods. We will actively review the personal data we hold and delete it securely, or in some cases anonymise it, when there is no longer a legal business need for it to be retained.

A hard copy of the retention schedule can be supplied by you hiring manager on request.

It is important that the Council keeps your personal data as up to date and accurate as possible. Please keep us informed of any changes to your personal data as soon as possible. The Council cannot be held responsible for any errors in your personal data in this regard unless you have notified the Council of the relevant change.

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data and relevant privacy information on request;
  • require the Council to change incorrect or incomplete data;
  • require the Council to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
  • object to the processing of your data where the Council is relying on its legitimate interests as the legal ground for processing; and
  • ask the Council to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the Council's legitimate grounds for processing data

Where you have given consent for the processing of your personal data for a specific purpose, you have the right to withdraw your consent for the processing for that specific purpose at any time

If you would like to exercise any of these rights, please contact the Data Protection Officer detailed above. You can make a subject access request by completing the Council's form found at Appendix 5.

HR, Organisational Development and Personnel & Payroll Individual privacy notice (compliant with the GDPR) (for those that do not have access to the intranet and E learning) Policy, Guidance Notes and Procedures/ June 2018/ Version 1.0/PersonnelDevelopment K drive/Personnel Documents/ Policies, Procedures & Guidance. 13 

If you believe that the Council has not complied with your data protection rights, we encourage you to let us know so that we can look into this for you and provide a response. Please address any queries, complaints or concerns regarding your personal data in writing to the Data Protection Officer.

Should you then feel that the matter is not resolved you may lodge a complaint with the Information Commissioner: UK Information Commissioner's Office, Wycliffe House  Water Lane, Wilmslow, Cheshire, SK9 5AF  Tel: 08456 30 60 60 | Website:

You have some obligations to provide the Council with data. In particular, you have to provide the Council with data in order to exercise your statutory rights, such as, in relation to statutory leave entitlements and pay. Failing to provide the data may mean that you are unable to exercise your statutory rights.

Certain information, such as, contact details, your right to work in the UK and payment details, have to be provided. If you do not provide other information, this will hinder the Council's ability to administer the rights and obligations arising as a result of the agreement efficiently

Engagement decisions are not based solely on automated decision-making.

HR Analytics may be used to look at the traits of the workforce, in particular its human capital: the value of individual knowledge, skills and experience of individuals and teams. This is also known as human capital analytics.

HR analytics enables HR and their major stakeholders to measure and report key workforce concepts, such as performance, well-being, productivity, innovation and alignment. This in turn enables more effective evidence-based decisions by strategic business functions. HR analytics enables HR teams to demonstrate the impact that HR policies and processes have on workforce and organisational performance, and can be used to demonstrate return-on-investment and socialreturn-on-investment for HR activity. Business managers are increasingly interested in how to use HR concepts more effectively, and so HR analytics is an important way in which HR teams can evaluate and improve people and business performance.

This A to Z of services list provides links to service pages alphabetically