Data integrity, security and confidentiality are vitally important to FirstCare. It is our goal to keep your data safe, secure and accurate, and to achieve this we operate an ISO27001 certified Information Security Management System (ISMS) that ensures FirstCare remains compliant with all applicable data protection legislation, including the General Data Protection Regulations (GDPR).

 

  1. Introduction

    • This privacy notice explains how and why FirstCare Limited, including each of its operating entities (also referred to as “FirstCare”, “we”, “our” and “us”) uses personal data concerning employees (referred to as “you”) in the provision of our absence management service to their employer (also referred to as “client” and “they”).
    • You should read this notice, so that you know what we are doing with your personal data.

 

2. FirstCare’s data protection responsibilities

  • “Personal data” is any information that relates to an identifiable person. Your name, date of birth and contact details are all examples of your personal data, if they identify you.
  • The term “process” means any activity relating to personal data, including, by way of example, collection, storage, use, consultation and transmission.
  • FirstCare is a "processor" of your personal data. Your employer remains the “controller” of your personal data. This means that they make decisions about how and why we process your personal data.

 

3. What types of personal data do we collect and where do we get it from?

  • We collect many different types of personal data about you. Some of it will be provided by you directly to FirstCare. Some of it will be provided to FirstCare directly by your employer. For full details please see the table below:

Ref:

Data

Type

Collected From

Controller:

1

Employee Ref

Mandatory

Your employer

Your employer

2

First name

Mandatory

Your employer

Your employer

3

Surname

Mandatory

Your employer

Your employer

4

Date of Birth

Optional

Your employer

Your employer

5

Gender

Optional

Your employer

Your employer

6

Hard of Hearing Status

Optional

Your employer

Your employer

7

Work Phone Number

Mandatory

Your employer

Your employer

8

Work Email Address

Mandatory

Your employer

Your employer

9

Position Reference Number

Optional

Your employer

Your employer

10

Position Job Title

Optional

Your employer

Your employer

11

Contracted Hours/Days

Mandatory

Your employer

Your employer

12

Employment Type

Optional

Your employer

Your employer

13

Employment Start Date

Mandatory

Your employer

Your employer

14

Absence Start Date

Mandatory

You

Your employer

15

Absence End Date

Mandatory

You

Your employer

16

Absence Type

Mandatory

You

Your employer

17

Absence Reason

Optional

You

Your employer

18

Absence Time Lost

Mandatory

You

Your Employer

19

Fit Note Dates

Optional

You

Your Employer

20

Current Symptoms/Illness

Optional

You

FirstCare

21

Medical History

Optional

You

FirstCare

22

Current Medications

Optional

You

FirstCare

23

Allergies

Optional

You

FirstCare

24

Contact Telephone Number

Optional

You

FirstCare

25

IP Address (Only processed if you have access to the myFirstCare portal)

Situational

You

FirstCare

 

  • Note that the option to share data items 20 to 23 with FirstCare is only available if your employer has purchased FirstCare’s ‘Complete Support’ service. If you are unsure which version of the FirstCare service your employer has purchased from FirstCare please contact your HR team.

 

  1. What do we do with your personal data, and why?
  • We process your personal data in order to facilitate the necessary, fair and consistent management of your unplanned absences from work, in line with the contract of employment that you have agreed with the employer.
  • Please note that FirstCare does not use your personal data for any form of automated decision making.
  • We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you and is used to analyse aggregated absence trends at your employer.

 

5. Who do we share your personal data with, and why?

  • We need to disclose your personal data to your employer in the form of absence notifications and reports, to enable them to manage your absence from work. Please note that for data items 1 to 13 we are simply sharing data with your employer that they already control.
  • For data items 14 to 19, this information is shared with your employer and any additional representatives they have nominated (such as Occupational Health or Healthy & Safety). The exception is Data Item 17 (Absence Reason) which will only be shared with your employer or its nominated representatives if you provide your explicit consent for it to be.
  • Data items 20 to 24 are never shared with your employer or any other third party.

 

6. Where in the world is your personal data transferred to? 

  • Your personal data is stored at rest in the United Kingdom (UK) and is accessed by your employer via a secure online portal.
  • This portal is accessible anywhere in the world by users with an internet enabled device (subject to access controls that can be enforced by your employer).
  • The list of users who can access your data via the online portal is decided and maintained by your employer.

 

7. How do we keep your personal data secure?

We will take specific steps (as required by applicable data protection laws) to ensure we take appropriate security measures to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.

 

  1. How long do we keep your personal data for?

    • Your personal data for which FirstCare is a Processor will be kept on our system for 1 month following the termination of our service by your employer.
    • Your personal data for which FirstCare is a Controller will be kept on our system for 7 years following the termination of our service by your employer.

 

9. What are your rights in relation to your personal data and how can you exercise them?

  • You have certain legal rights, which are briefly summarised below, in relation to any personal data about you which we hold.
  • Where our processing of your personal data is based on you providing consent (to your employer for the data they control, or to FirstCare for the data we control), you have the right to withdraw your consent at any time, subject to any lawful requirements.
  • A brief summary of your rights are listed below, but we suggest you contact your employer for full details on how they intend to manage these processes.

Your right

What does it mean?

Limitations and conditions of your right

Right of access

Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”).

If possible, you should specify the type of information you would like to see to ensure that the disclosure meets your expectations.

We must be able to verify your identity. Your request may not impact the rights and freedoms of other people.

Right to data portability

Subject to certain conditions, you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.

 

If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.

This right only applies if the processing is based on your consent and it covers only the personal data that has been provided to us by you.

Rights in relation to inaccurate personal or incomplete data

You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help your employer keep your personal information up to date and we encourage you to notify them of any changes regarding your personal data as soon as they occur. Please also contact FirstCare if you suspect that any of the data we control is inaccurate or incomplete.

This right only applies to your own personal data and you cannot request changes to another person’s personal data. When exercising this right, please be as specific as possible.

Right to object to or restrict our data processing

Subject to conditions, you have a right to object to or ask your employer and FirstCare to restrict the processing of your personal data.

As stated above, this right applies where our processing of your personal data is necessary for our legitimate interests.

Right to erasure

Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.

As your employer is the Data Controller for your personal data you would need to direct this request to them. They will in turn direct FirstCare to delete your personal data where appropriate. Please note that we may not be in a position to erase your personal data if we need it to comply with a legal obligation.

Right to withdrawal of consent

As stated above, where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.

If you withdraw your consent, this will only take effect for future processing. You will also need to direct this request to your employer, who may cite legal or legitimate reasons to continue processing your personal data.

 

  • If you wish to exercise any of these rights please contact your appropriate individual (usually a Data Protection Officer) at your employer.
  • You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/.

 

  1. Updates to this notice

We may update this notice from time to time to reflect changes to the type of personal data that we process and/or the way in which it is processed. We will update you on material changes to this notice during your first call to FirstCare following the update.

 

  1. Data Subject Access Requests and Queries

If you wish to make a Data Subject Access Request or exercise any of the other rights listed above, or have any questions about the fair processing of your data at FirstCare, please direct them to: dataprotection@firstcare.eu

 

Version 1: Published on 18th May 2018.