Colleagues

St Mungo’s is committed to keeping your data safe. We’re also committed to being up front and honest about what information we’re collecting, why we do this, and how we use it. Return to our Central Privacy Policy

Staff, apprentices, and locums

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive data which require a higher level of protection.
We will collect, store and use the following categories of personal information about you:

  • Your name, address and contact details, including email address and telephone number, date of birth and gender.
  • Information about your right to work in the UK.
  • The terms and conditions of your employment
  • Recruitment documents for roles that you have held, including application, interview notes, shortlisting information, tests and references
  • Details of your qualifications, professional memberships, skills, experience and employment history, including start and end dates and work locations, with previous employers and with the organisation.
  • Information about any potential probity issues or conflicts of interest.
  • Information about your remuneration, including entitlement to benefits such as pensions or insurance cover.
  • Details of your bank account and national insurance number.
  • Information about your marital status, next of kin, dependants and emergency contacts.
  • Information about your status to drive.
  • Details of your schedule (days of work and working hours) and attendance at work.
  • Details of periods of leave taken by you, including holiday, family leave and sabbaticals, and the reasons for the leave.
  • Details of any disciplinary, capability or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence.
  • Details of any safeguarding concerns or referrals made to the Disclosure and Barring Service (DBS).
  • Assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence.
  • Supervision and other management notes in relation to the performance of your role.
  • Information related to health and safety claims, accidents, complaints incidents which you may be party or a witness to.
  • Feedback you have provided for others through our performance management processes.
  • Information about your use of St Mungo’s information and communications systems.
  • Photographs.
  • CCTV footage and door pass entry information.

We may also collect, store and use the following “special categories” of more sensitive personal information:

  • Information about your criminal record.
  • Information about your nationality and entitlement to work in the UK.
  • Details of periods of sickness absence taken by you, and the reasons for the leave.
  • Details of attendance and sickness procedures in which you have been involved, including any stages of the process you have reached and correspondence.
  • Information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments.
  • Details of trade union membership.
  • Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract we have entered into with you.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  • Where we need to protect your interests (or someone else’s interests).
  • Where it is needed in the public interest of for official purposes.

"Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

In limited circumstances, with your explicit written consent.

  • Where we need to carry out our legal obligations or exercise rights in connection with employment, for example, in order to administer certain benefits, such as pensions schemes, life insurance or PHI / critical illness insurance.
  • Where it is needed in the public interest, such as equal opportunities monitoring or reporting safeguarding concerns.
  • Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

St Mungo's collects this information in a variety of ways. For example, data is collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

In some cases, the organisation collects personal data about you from third parties, such as references supplied by former employers; recruitment agencies; assessment information provided by assessment providers; medical information provided by medical professionals and information from criminal records checks permitted by law.

We will collect additional personal information in the course of job-related activities throughout the period of you working with us.

We need all the categories of information in the list above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are listed below – for more information please see the Employee’s Data Summary Schedule.

  • Running recruitment processes and making decisions about pay and terms.
  • Checking you are legally entitled to work in the UK and you are suitable for the role that you are engaged to conduct.
  • Maintaining accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights.
  • Paying you and deducting tax and National Insurance contributions.
  • Administering benefits.
  • Gathering evidence in relation to and operating and keeping a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace.
  • Gathering evidence in relation to and operating and keeping a record of employee performance and related processes, to plan for career development, and workforce management purposes.
  • Operating and keeping a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled.
  • Obtaining occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled.
  • Operating and keeping a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
  • Complying with health and safety obligations.
  • Ensuring effective general HR and business administration.
  • Ensure effective business management, monitoring and planning activities.
  • To monitor your use of our information and communication systems to ensure compliance with our IT policies and effective discharge of your duties.
  • To provide references on request for current or former employees.
  • Responding to and defending against legal claims.
  • Maintaining and promoting equality in the workplace.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

We will use your particularly sensitive personal information in the following ways:

  • We will use information relating to your nationality in order to ascertain your right to work in the UK.
  • We will use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws.
  • We will use information about your physical and mental health, or disability status, to ensure your health and safety in the workplace and assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
  • We will use information about your race, national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
  • We will use trade union membership information to pay trade union premiums, register the status of a protected employee and to comply with employment law obligations.

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our policies in relation to Pre- Employment Checking and Employing People with Criminal Records.

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or you have already made the information public.

We may also process such information about members or former members in the course of legitimate business activities with appropriate safeguards.

We envisage that we will hold information about criminal convictions.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us. We will use the information about criminal convictions and offences in the following ways:

  • To ascertain your suitability (on an ongoing basis) for your role and employment at St Mungo’s.
  • To inform any appropriate discussions or processes in line with our Code of Conduct and Disciplinary Procedures.

We are allowed to use your personal information in this way to carry out our duties as an employer working in fields with regulated activity and/or with vulnerable adults and/or children and/or in line with the requirements of the Rehabilitation of Offenders Act. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.

We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law. We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.

Who we share with

“Third parties” include third-party service providers (including contractors and designated agents).

St Mungo's shares your data with third parties who manage our databases and administrative systems and in order to obtain pre-employment references from other employers, obtain assessments as part of a recruitment process, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. The organisation may also share your data with third parties in the context of a potential TUPE transfer or when running a staff survey.

St Mungo's also shares your data with third parties that process data on its behalf, in connection with insurances and legal advice, employee relations matters, payroll, the provision of benefits and the provision of occupational health services.

Keeping your information secure

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. With the exception of our occupational health provider (who uses your data for the purposes of advising you directly and safeguarding your wellbeing) we do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

We may share your personal information with other third parties, for example in the context of possible mergers or take-overs, the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. We may also need to share your personal information with a regulator or commissioner/funder or to otherwise comply with the law.

Sharing outside of the EEA

Subject to the exceptions below your data will not be processed outside of the European Economic Area (EEA).

  1. Our online test provider is based in the United States and as such data related to the online tests will be transferred outside of the EEA. In this situation data is transferred outside of the EEA on the basis that the test provider has signed up to the EU-US Privacy Shield Framework. More information about the Privacy Shield Framework can be found here: https://www.privacyshield.gov/welcome
  2. We may from time to time use an online survey tool based in the United States and as such data contained in surveys will be transferred outside of the EEA. In this situation data is transferred outside of the EEA on the basis that the survey tool provider has signed up to the EU-US Privacy Shield Framework. More information about the Privacy Shield Framework can be found here: https://www.privacyshield.gov/welcome

St Mungo's takes the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, altered, misused or disclosed, and is not accessed except as required by its employees in the performance of their duties. We operate under a suite of Data Protection Policies, a Data Retention Schedule and restrict access to our systems and files appropriately.

Where St Mungo's engages third parties to process personal data on its behalf, it does so on the basis of written instructions and only where the third party has agreed to treat the information confidentially and to implement appropriate technical and organisational measures to ensure the security of data.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use of disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. For more information please see the Employee’s Data Summary Schedule.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee or worker of the company we will retain and securely destroy your personal information in accordance with our data retention policy.

Volunteers

The organisation collects a range of information about you. This includes:

  • Your name, address and contact details, including email address and telephone number.
  • Details of your, skills, experience and motivations for volunteering.
  • Whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process.
  • Information about your criminal record.
  • Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief.

The organisation collects this information in a variety of ways. For example, data might be contained in application forms, CVs, obtained from your passport or other identity documents.

The organisation will also collect personal data about you from third parties, such as references supplied by former employers, educational / training establishments, work experience providers or other appropriate referees as provided by yourself and information from criminal records checks. 

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).


The organisation needs to process data to administer your volunteering application.

The organisation has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from volunteer applications allows the organisation to manage the recruitment process, assess and confirm a potential volunteer’s suitability for the role you have applied for.

Where the organisation relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of volunteers and has concluded that they are not.

The organisation processes health information to see if reasonable adjustments can be made to support a potential volunteer’s application.

Where the organisation processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to that volunteering role.

Following the conclusion of any recruitment exercise, the organisation will keep your personal data on file for six months to respond to any questions about the process.

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the Volunteering team, volunteer supervisors in the service where the role is based and IT staff and business insight teams if access to the data is necessary for the performance of their roles.

The organisation will not share your data with third parties, unless your application to volunteer is successful. The organisation will then share your data with relevant individuals and organisations (provided by yourself) to obtain references for you, and the Disclosure and Barring Service to obtain necessary criminal records checks.

Subject to the exception below your data will not be processed outside of the European Economic Area (EEA).

Your data will only be processed outside of the European Economic Area (EEA) in the following circumstances:

  • Where we need to obtain reference information where the referee is not based within the EEA this will require basic data transfer outside of the EEA.  In this situation you will have provided the relevant contact details for the referee.

St Mungo's takes the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, altered, misused or disclosed, and is not accessed except as required by its employees in the performance of their duties.  We operate under a suite of Data Protection Policies, a Data Retention Schedule and restrict access to our systems and files appropriately.

Where St Mungo's engages third parties to process personal data on its behalf, it does so on the basis of written instructions and only where the third party has agreed to treat the information confidentially and to implement appropriate technical and organisational measures to ensure the security of data.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

If your application to volunteer is unsuccessful, the organisation will hold your data on file for seven months after the end of the relevant recruitment process.

If your application to volunteer is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your volunteering. The periods for which your data will be held will be provided to you in a new privacy notice.

Applicants

The organisation collects a range of information about you. This includes:

  • Your name, address and contact details, including email address and telephone number.
  • Details of your qualifications, skills, experience and employment history.
  • Information about your performance in all aspects of assessment process, including job application; tests and interview.
  • Information about your current level of remuneration, including benefit entitlements.
  • Whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process.
  • Information about attendance in previous roles and / or disability or non-disability related health conditions.
  • Information about your work history including any gaps.
  • Information about your criminal record.
  • Information about your entitlement to work in the UK.
  • Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief.
  • Your view of the assessment process.

The organisation collects this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment, including online tests, or online surveys.  The data might also be collected from publicly available sources, such as websites.

The organisation will also collect personal data about you from third parties, such as references supplied by former employers, educational / training establishments, work experience providers or other appropriate referees as provided by yourself and information from employment background check providers and information from criminal records checks.  The organisation will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).

The organisation needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.  It also processes your data for the purpose of assessing its own performance through recruitment processes.

In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.

The organisation has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the organisation to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The organisation may also need to process data from job applicants to respond to and defend against legal claims.

Where the organisation relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not.

The organisation processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.  In addition this information is processed (along with advice from occupational health) to make a judgement in relation to whether someone is suitable for a role.

Where the organisation processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.

Following the conclusion of any recruitment exercise, the organisation will keep your personal data on file for six months to respond to any questions about the process, or legal challenges.  In some situations, we may also keep your personal data on file in case there are future employment opportunities for which you may be suited. The organisation will ask for your consent before it keeps your data for this purpose and you are free to withdraw your consent at any time.

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

During the assessment process, the organisation will share your data with online test providing companies and in certain situations with assessment panel members external to St Mungo’s.  Otherwise, the organisation will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. The organisation will then share your data with relevant individuals and organisations (provided by yourself) to obtain references for you, employment background check providers to obtain necessary background checks, Occupational Health Advisor to obtain any necessary health advice, the Disclosure and Barring Service to obtain necessary criminal records checks and our contract administration system to issue a contract.

Subject to the two exceptions below your data will not be processed outside of the European Economic Area (EEA).

Your data will only be processed outside of the European Economic Area (EEA) in the following circumstances:

  1. Our online test provider is based in the United States and as such data related to the online tests will be transferred outside of the EEA.  In this situation data is transferred outside of the EEA on the basis that the test provider has signed up to the EU-US Privacy Shield Framework.  More information about the Privacy Shield Framework can be found here: https://www.privacyshield.gov/welcome.
  2. Where we need to obtain reference information where the referee is not based within the EEA this will require basic data transfer outside of the EEA.  In this situation you will have provided the relevant contact details for the referee.

The organisation takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties. 

If your application for employment is unsuccessful, the organisation will hold your data on file for seven months after the end of the relevant recruitment process.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.