Home chevron_right Data protection and privacy chevron_right Privacy notices chevron_right Privacy notice - HR Service

Privacy notice - HR Service

Who are we and what do we do?


The HR Service contributes to the creation of a positive and inclusive working environment where all staff feel valued and are able to achieve their full potential. The service provides support to managers to enable them to carry out their management roles effectively. We ensure compliance with relevant legislation and make the most efficient and effective use of resources.

What type of personal data do we collect and how do we collect it?


We collect the following types of Personal Data throughout your life cycle with Middlesbrough Council from application through to leaving the organisation:

During application process / new starter information

  • Your name, postal address, email address, telephone number and other contact information that allow us to meet our organisational and statutory obligations to you as your Employer;
  • National Insurance number;
  • Date of birth;
  • Referees’ details;
  • Employment history;
  • Details of knowledge, education, qualifications, membership of professional organisations, training information, registration numbers (where applicable) and expertise;
  • Bank details;
  • Proof of identity;
  • Right to work documentation;
  • Disclosure and Barring Service (DBS) checks;
  • Details of any criminal convictions (spent and unspent) where required for a particular post;
  • Gender;
  • Origin;
  • Relationship Status;
  • Sexual Orientation;
  • Religion or Belief;
  • Carer responsibilities;
  • Whether you consider yourself to have a Disability as described under the Equality Act 2010;
  • Pre-employment Health declaration

Throughout your employment with Middlesbrough Council

  • Details of family members and Next of Kin details;
  • Health, sickness and medical information
  • Performance information
  • Training and Development information
  • Details of any criminal convictions
  • Vehicle details, including MOT and insurance information, if you drive as part of your role
  • Equality Data and satisfaction data

When you leave – how long do we keep your personal information?

There is often a legal reason for keeping your personal information for a set period of time, these can be found within our Retention policy and the periods can range from months to decades for more sensitive records.

How we collect your Personal Data


Personal Data may be collected in a number of ways, for example:

  • Direct entry by you, of your personal information via the Staff Portal or the Electronic Recruitment Platform
  • When you contact us either via telephone or email;
  • When you apply for a job vacancy internally or externally;
  • When you complete staff/customer satisfaction surveys and equality data surveys (although you are not obliged to respond to them);
  • Written communication required as part of the Council’s HR Policies and Procedures (including health and medical information, disciplinary information, leave applications, training information etc.)

How the Law allows us to use your personal data?


Middlesbrough Council has a lawful basis to process personal data. The Council also collects special category data including ethnic origin, religion and belief.

We process your personal information for the purposes of your employment to meet our legal obligations. We use ‘special category’ data where this is necessary for ‘employment obligations ‘or where there is a ‘substantial public interest’ based in law for statutory and government purposes.

We process your personal data for the additional voluntary contribution pension scheme (AVC) and to provide you with information about staff benefits for the performance of a contract between you and the council.

Other legal obligations why we are allowed to use your data is under other various UK Laws including but not limited to:

  • Apprenticeship, Skills, Children and Learning Act 2009
  • Health and Safety at Work Act 1974
  • Immigration Act 2016
  • Income Tax Earning and Pensions Act 2003
  • Local Government Act 1972
  • Local Government and House Act 1989
  • Public Service Pension Schemes Act 2013
  • Superannuation Act 1972
  • Equality Act 2010

What is your personal data used for?


The reasons we use your data are as follows:

  • To provide you with our services, and to develop and improve the services;
  • To ensure that the information we hold about you is kept up-to-date;
  • To protect, manage and administer your information to meet statutory and legislative requirements
  • For assessment and analysis purposes to help improve the operation of our service;
  • Deliver services and support to you;
  • Manage those services we provide to you;
  • Train and manage the employment of our workers who deliver those services;
  • Help investigate any worries or complaints you have;
  • Check the quality of services;
  • To manage staff payments;
  • To administer a staff pension scheme;
  • To manage staff annual leave;
  • To manage staff performance;
  • To manage staff feedback;
  • To manage staff misconduct;
  • To maintain a Staffs interests and Disclosures Register;
  • To process matters relating to employment;
  • To manage staff grievances;
  • To process staff health referrals;
  • To process staff health surveillance forms;
  • To manage staff training;
  • To manage staff attendance;
  • To manage staff transfers;
  • To manage staff recruitment;
  • To reorganise the workforce;
  • To manage employee relations;
  • To undertake staff risk assessments;
  • To manage staff redundancy;
  • To provide information about staff benefits; and
  • To detect, investigate, or prevent fraud including via the National Fraud Initiative. 

Will your personal data be shared?

  • Government Departments (e.g. HMRC)
  • Disclosure and Barring Service (CAPITA and NEREO)
  • Internal Departments
  • Medical Services
  • Occupational Health Provider
  • Physiotherapy Service
  • Wider Plan Childcare provider
  • Pension’s providers
  • Referees
  • Trade Unions
  • Training Providers

HR has contracts with a number of third party service providers that support the health and wellbeing of our employees. We also enter into specific information sharing arrangements and any information is managed in accordance with relevant privacy and data protection legislation.

We may also enter into specific information sharing arrangements with other organisations, for example, for the process of TUPE, to support statutory functions. Any information sharing is managed in accordance with relevant privacy and data protection legislation.

How do we keep your personal data secure?


The security of your personal information is important to us. This is why we follow a range of security policies and procedures to control and safeguard access to and use of your personal information.

  • Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’
  • Secure, private workspaces such as Objective Connect
  • Controlling access to HR and Payroll systems (including the People Manager, Staff Portal and the Learning Management System) and networks which allows us to stop people who are not allowed to view your personal information from getting access to it
  • Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong

Regular testing of our technology and ways of working including keeping up to date on the latest security updates.

How long will we keep your personal data?


After we deliver a service to you, we have to keep your information as a business record. Our corporate retention guidelines show how long we keep it for different services. This ranges from months for some records to decades for more sensitive records. 

The retention periods for this service are as follows:

  • Recruitment information – 6 months;
  • Payroll information – 6 years plus current;
  • 13 years retention period for staff who have 10 year’s Pension Protection (plus last 3 years) on reductions; and
  • For posts that work with Children these depend on the service.

For more details about specific records, see our retention periods in the corporate policy.

Is your personal data processed overseas?


The Council will not process your information overseas, however it may be necessary if requested by an external organisation under a legal requirement or at your request. In any event we would ensure that your information is safe.



At no time will your information be passed to organisations external to us and our partners for marketing or sales purposes or for any commercial use without your prior express consent.

What are your information rights?


Your Information Rights are set out in law and, subject to some exceptions, you have the:

  • Right to rectification - to ask for information to be corrected
  • Right to erasure - to have your personal data deleted
  • Right to object - to how your data is used
  • Right to restriction - to request limits on how your data is used
  • Right to portability - to request that we move your data to another organisation
  • Right of subject access - to request a copy of data the Council holds about you

Making a complaint


If you have a concerns about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner's Office. Visit the website of the Information Commissioner's Office.



If you would like to discuss anything in this privacy notice or your information rights, please contact:

The Data Protection Officer
Middlesbrough Council
PO Box 500, Middlesbrough, TS1 9FT
Phone: 01642 245432
Email: dataprotection@middlesbrough.gov.uk