Privacy Notice


East Suffolk HR have provided this privacy notice to help you understand how we collect, use and protect your information whilst we provide you with HR services and applies to both employee and job applicant information.

The document below will describe how we may collect and process your personal information.

The purpose of this document is to clearly acknowledge the councils’ responsibilities in relation to the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.


Personal Data

This means any information related to an identified or identifiable natural (living) person (‘data subject’) i.e. a person that can be directly or indirectly identified by reference to a name, ID reference number, email address, location data, or physical, physiological, genetic, mental, economic, cultural or societal identifier.

Special Personal Data

This was previously known as ‘sensitive personal data’, relates to race, ethnic origin, politics, religion, trade union membership, genetic data, biometric data, health, sex life or sexual orientation.  Records of criminal personal data must also be treated in a similar way.

Data Controller

This is the person/ role that determines the purposes and means of processing personal data.

Data Processor

This is the person or role responsible for any operation which is performed on personal data on behalf of the controller e.g. collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction.

Third Party

This is someone / somebody who is not the Data Controller, the Data Processor or the Data Subject.

Who we are

The HR team provide services including recruitment, payroll administration, learning and development and generalist advice.

We are the ‘data controllers’ for the information which is collated and processed. This means we are responsible for deciding how we can use your information. If you want more information regarding the services delivered, please go to our website with regards to the services delivered.

The council regards lawful and correct treatment of personal information as critical to its successful operations, maintaining confidence between the council and those with whom it carries out business. The council will ensure that it treats personal information correctly in accordance with the law.

The services provided are statutory and contractual as detailed in paragraphs 1 b) and 1 c) of Article 6 of the General Data Protection Regulation (UK GDPR), as detailed below:

b) processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract; 

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

The Data Protection Officer for East Suffolk Council is Siobhan Martin, Head of Internal Audit, and can be contacted at

How the law protects you

UK GDPR says that we are allowed to use personal information only if we have a proper reason to do so.

Our responsibilities

UK GDPR provides us with main responsibilities for processing personal data.

All personal information provided by you is held securely and in confidence by us in our computerised and other records. When we process your personal information, we do so in compliance with UK GDPR.

Your rights

The UK GDPR provides you with the following rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making
  9. The right to withdraw consent
  10. The right to complain

Any requests in relation to your rights with regards to the personal data we hold should be made verbally or in writing to the Data Protection Officer.

Your responsibilities

You are responsible for making sure you give us accurate and up to date information, and to let us know if any personal information we hold is incorrect.

When do we collect information about you?

We collect information about you from different places, including:

  • Application process
  • References and other advance checks such as DBS checks
  • Bank details form
  • Health declaration form

What information do we maintain?

The information about you which we will maintain will include:

  • personal information (such as name, address, next of kin and bank details)
  • vehicle information (such as make, model and registration)
  • characteristics (such as ethnicity, sexual orientation and religion / belief)
  • qualification and skills information (such as qualification dates)
  • previous employment records (such as date of employment and reasons for leaving)
  • sickness and medical information (such as periods of and reasons for absence and occupational health referrals and reports)
  • performance information (such as My Conversation objectives and outcomes)
  • employee relations information (such as disciplinary, grievance and capability casework)

How do we use your information?

We will be using your information to:

  • Enable us to carry out specific functions for which we are responsible:
    • Administering payroll (including mileage and expenses claims, SSP, SMP)
    • Statutory reporting
    • Maintaining employment records
  • Produce anonymous statistical information (such as characteristics of employees and / or applicants)
  • Longlist, shortlist and make decisions about applicants suitability to undertake a specific role
  • Produce anonymous reporting about the organisation (such as absence reporting)
  • Manage sickness, disciplinary, grievance, capability, conduct and other employee relations casework
  • Support occupational health referrals
  • Provide staff benefits to employees
  • Undertake safeguarding and pre-employment checks (such as Disclosure and Barring Service (DBS) check)
  • Undertake staff surveys

We will not use your personal data for other purposes other than for what it was collated unless we have obtained your consent or for other lawful purposes (eg detection and prevention of fraud). We do not use automated decision making.

How long do we keep your information?

We will hold your personal information for:

  • Applicant data is held for one year following an unsuccessful job application
  • General employee data (personal, vehicle, characteristics, qualification and skills), previous employment records and performance is stored for the duration of the individual’s employment, plus seven years.
  • Medical records are stored for 75 years.
  • Employee relations case files (disciplinary, grievance, capability and conduct) are stored for two years, unless a different retention period is identified as part of the outcome of the case.
  • Declaration of interests, gifts or hospitality are retained for the length of employment, plus three months after the employee’s last day of service.

Data Sharing

 We will share your personal information with:

  • Suffolk County Council, our payroll provider
  • The Office of National Statistics (ONS) on a statutory basis under section 1 of Statistics of Trade Act 1947
  • Her Majesty’s Revenue and Customs (HMRC) on a statutory basis under:
    • The Income Tax (Pay As You Earn) Regulations 2003 (SI 2003/2682);
    • The Social Security (Contributions) Regulations 2001 (SI 2001/1004); and
    • The Income Tax (Construction Industry Scheme) Regulations 2005 (SI 2005/2045)
  • Wrightway Health, our Occupational Health provider, on a contractual basis as part of pre-employment checks, management or ill health retirement referrals detailed in our Sickness Absence policy
  • Sodexo Holdings Limited, our staff benefits provider, on a contractual basis to provide staff benefits to employees
  • Disclosure & Barring Service, our criminal records check provider, on a statutory and contractual basis to undertake DBS checks
  • Learning Pool Limited, our e-learning provider, on a contractual basis to allow access to our e-learning platform
  • Other organisations whom we require references from

We will share employee information with third parties as part of Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE), the data provided will be in two parts

  • Anonymised data detailing staff numbers, staff absences, numbers and kinds of employee relations cases. This data forms part of the initial due diligence relating to any TUPE transfer and will be shared with any third party with a specific interest in transferring staff as part of a commercial or procurement project
  • Specific “employee liability information”, including but not limited to: the identity of the employees who will transfer;
    • the age of those employees;
    • information contained in the ‘statements of employment particulars’ for those employees;
    • information relating to any collective agreements which apply to those employees;
    • instances of any disciplinary action within the preceding two years taken by the transferor * in respect of those employees in circumstances where the Acas Code of Practice on discipline and grievance applies;
    • instances of any grievances raised by those employees within the preceding two years in circumstances where the Acas Code of Practice on discipline and grievance applies; and
    • instances of any legal actions taken by those employees against the transferor in the previous two years, and instances of potential legal actions which may be brought by those employees where the transferor has reasonable grounds to believe such actions might occur.
  • This data forms part of the due diligence relating to a TUPE transfer and will be shared with the third party identified as the future employers of staff after the transfer, following or as part of a commercial or procurement activity.

In both cases the information will be provided as part of our statutory obligations detailed in Regulation 11 of the Transfer of Undertakings (Protection of Employment) Regulations 2006. Other data sets may voluntarily be provided as part of the TUPE process.

Transferring your information overseas

Currently, we do not transfer any personal information outside of the European Economic Area (EEA).

National Fraud Initiative (NFI)

We may share information provided to us with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

Please visit the East Suffolk website for further information.