Worker Privacy Notice

Introduction

Lightning Health is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with Data Protection Legislation.

This policy applies to current and former employees, workers, contractors, and the dependants (if applicable) of employees who we sponsor for visa purposes. This policy does not form part of any contract of employment or other contract to provide services. We may update this policy at any time.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

Types of personal information we collect and our Lawful Basis for processing

We collect and process personal information about you as far as necessary to manage the terms of your employment agreement and to comply with legal obligations to which we are subject. This includes:

  • The information that you provided to us during the recruitment process, including your resume or curriculum vitae, application form, work history, education, degrees, academic records, languages and qualifications, references and any professional licenses, memberships, or certifications. Lawful Basis: Contract
  • Your basic contact information, including your name, address, telephone numbers (home, mobile, work), email address, citizenship/nationality, and date and of birth. Lawful Basis: Contract & Legal Obligation
  • Your government issued identifiers subject to the conditions of applicable law, such as your national ID details, national insurance number, tax code, passport number and copy of your passport or right to work in the UK documentation. Lawful Basis: Contract & Legal Obligation
  • Your bank and financial details for salary/payroll purposes, such as your salary, other remuneration, your bank account number, bank name and details. Lawful Basis: Contract & Legal Obligation
  • Information about your job and position, including the employee/ payroll identification number, job title and description, department, and manager, reporting lines, work location, work status such as full time or part time, working hours, probation period if applicable, and employment contract terms. Lawful Basis: Contract
  • information for use of company network and devices, such as username, password, contact details, work telephone number, monitoring for network security and device data usage. Lawful Basis: Legitimate Interest
  • For visa applications your passport and visa, and the passport and visa details of any dependants (if applicable) we sponsor. Lawful Basis: Legal Obligation
  • Information about your working hours and leave entitlements, including attendance, holiday/vacation, leaves or absences, travel, and mobility. Lawful Basis: Contract
  • Information relating to health and sickness absence, parental and dependant leave so we can make any reasonable adjustments necessary and monitor and provide support with sickness and absence management.  Lawful Basis: Contract & Legal Obligation
  • Name, address, and phone number of your nominated Emergency contacts so we can contact your nominated person should an emergency occur.  Lawful Basis: Contract/ Legitimate Interest 
  • Economic and financial information for compensation and benefits, including your banking and account details for remuneration and compensation, information on raises and bonuses, your benefits package and information and details associated with pensions or insurance programs that may be offered as part of your employment.  Lawful Basis: Contract
  • Information related to your work evaluations and performance, including regular evaluation details, reviews and feedback, details about performance plans, and information associated with professional development such as training (both internal and external), courses, seminars and conferences, and succession planning information. Lawful Basis: Contract/ Legitimate Interest 
  • Information collected for travel and expense purposes, such as credit card, bank details, booking and itinerary details, passport information (number, expiration, issuing authority, etc.) and visa and immigration information, and travel preferences. Lawful Basis: Contract 
Sensitive data processing

Throughout your employment relationship we also may be required to collect sensitive data to comply with our legal requirements in the field of employment, social security, and social protection law.

We will use your information relating to leaves of absence which may include sickness absence or family related leaves, to comply with employment and other laws.

We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law.

Your rights

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your employment with us. You can check and edit your basic information by logging onto our HR platform.

You have the following rights over your data:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
  • Object to processing of your personal information where we are relying on a legitimate interest and there is something about your situation which makes you want to object to processing on this ground.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you.

If you would like to exercise any of these rights, please contact our Data Protection Officer at dpo@lightning.health.

Who we share your personal information with

Lightning Health relies on third-party service providers and vendors that provide products and services. These include accountants, law firms and legal service providers, tax or financial professionals, payroll and benefits providers, pension and insurance companies, our landlord, consultants, contractors, IT support and storage providers e.g.  Microsoft Azure, Citrus HR, HubSpot, Nest, We Work, Browser, Wildish, Hiscocks, DocuSign.

Our third-party service providers may have access to your personal information to perform certain functions or may host your personal information as part of a “cloud based” solution used by employees. Lightning Health only uses third-party service providers that ensure sufficient guarantees for the protection of your Personal Data. All suppliers are to undergo a supplier risk assessment. Lightning Health requires third-party service providers by contract to implement appropriate data security and confidentiality obligations, in accordance with applicable law.

Our third-party providers may change over time, but we will notify you in the event of any change. If you would like further details, or to object to us sharing your data for these purposes, please notify us at dpo@lightning.health and we will provide you with detailed information and respond to your request.

Any organisation in the event of the sale, merger, reorganisation, dissolution, or disposal of our business. We will inform you of any such transfer or disclosure as required by law.

Transferring Information outside the UK & EEA

Data Protection Laws prohibits the transfer of Personal Data belonging to European Union (EU) residents outside of the European Economic Area (EEA), unless there are appropriate safeguards in place to guarantee the security of that data.

Where we use third-party service providers outside of the EEA or Switzerland, we will ensure that these organisations provide sufficient guarantees to implement appropriate technical and organisational measures for the protection of Personal Data. Where necessary, we require that any such third-party service providers execute the relevant Standard Contractual Clauses or adhere to any certification procedures issued by the Commissioner for transfer of personal data to a third country and undertake a transfer impact assessment to identify any supplementary measures required to safeguard your personal data.

If you require further information about these protective measures, you can request it from our DPO at dpo@lightning.health.

Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. For most employee data the standard retention period is six years.

Details of retention periods for different aspects of your personal information are available from our DPO at dpo@lightning.health.

Complaints or queries

Lightning Health always tries to meet the highest standards when collecting and using personal information and we welcome feedback about this provacy notice or any other data protection issues or concerns. In the first instance, please contact our Data Protection Officer, Melissa Ashdown dpo@lightning.health with any feedback, comments, concerns, or complaints.

If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law in the UK– www.ico.org.uk/concerns.

 

Version 1.0. June 2023