Why do we collect personal information about staff and how do we use it?


As an employer there are lawful bases for the personal information that we collect about our staff, agency staff, our contracted consultants and those with an honorary contract such as medical placements. We have used the collective term “staff” for the purpose of this privacy statement.

Using personal information helps us provide the best support to our workforce, to ensure their health and safety and to make for a better employee experience.

The main lawful basis (legal reason) for collecting and using this personal information is because we hold a contract with that individual.  Processing information under this legal basis enables us to:

  • Recruit the right staff to Dorothy House
  • Pay staff
  • Develop and train staff
  • Administer pensions
  • Ensure health and safety of staff
  • Manage the organisation (for example staff rotas and availability, maintenance requests, IT helpdesk requests, use of intranet/Dot2Dot and library)
  • Analyse Dot2Dot use through OAK reporting (Intranet provider) facility
  • Use photographs for security purposes


We also process the personal data of staff to meet our legal obligations as an employer, including:


  • Meet immigration law obligations
  • Meet medical registration obligations
  • Keep staff safe using, for example, risk assessments or health and safety reports
  • Where appropriate, we process DBS checks to keep everyone safe who comes into contact with Dorothy House
  • Modify working conditions according to staff health conditions
  • Paying tax and national insurance contributions to HMRC


We also collect and use some personal information regarding staff on the lawful basis of “legitimate interest” so that we can do the following:


  • Alert nominated emergency contacts for staff members if there are concerns for the health and safety of that staff member
  • Monitor demographic, equality and diversity data to evidence fair recruitment and staffing
  • Use staff photographs on outlook and internal software for the purpose of staff identification and for presentations and publicity.
  • Processing information on the basis of legitimate interest means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis. See Your Rights section.


What personal information do we collect about our staff?


Based on the data processing reasons outlined above, we may collect some or all of the following information (note, this list is not exhaustive):

Basic details including name, postal/email address, telephone number, date of birth and emergency contact details.

Demographic, equality and diversity data

Terms of employment information including letters of offer, employment contract, place of work, references, ID information

Skills and experience information including CVs, records of qualifications, training and professional membership / registration.

Financial information so that we can pay you including bank details, National Insurance (NI) documentation and social security numbers where applicable.

Identification information including photos, car driver information, copies of birth certificate/driving licence

Employment process information including absence from work and any disciplinary issues.

Performance records such as appraisals and 1 to 1s

Personal health information such as occupational health advice or health and safety reports.

Information on use of DH electronic devices including DH intranet, email data and back up from DH servers, building access, printing history.


Where do we store personal staff information and for how long?


Staff information as outlined above is primarily stored on a secure HR database managed by Dorothy House.  For some functions it may be necessary to hold basic contact details on other internally-managed databases whereby the data can be stored off-site with the relevant software provider, for example training records, maintenance requests, printing history, library use, IT helpdesk.

All databases are username and password protected and staff receive training so that they are aware of their professional responsibility to respect confidentiality.

Some working documentation, such as personal development reviews, performance monitoring and 1 to 1s will be kept securely within the Dorothy House network.  Currently the HR Department also securely holds hard copy files within the department.

Staff record retention policy is for 7 years after employment ceases unless exceptional circumstances apply.


Sharing personal information about staff


Dorothy House may need to share some of the information we hold on staff with the following:

  • Statutory organisations: HMRC, Child Support Agency, local authorities (for attachment of earnings), student loans
  • Third party communications services: Mailing houses, email marketing, survey providers, event booking systems
  • External education system providers (e.g. Moodle, Training Tracker)
  • Other external organisations: Credit card company, pension companies (incl. NHS Pensions)

Click here to view ‘Your Rights’

Download PDF version – Employees Privacy Statement