Data integrity, security and confidentiality are vitally important to FirstCare. It is our goal to keep your data safe, secure and accurate, and to achieve this we operate an ISO27001 certified Information Security Management System (ISMS) that ensures FirstCare remains compliant with all applicable data protection legislation, including the General Data Protection Regulations (GDPR).

 

  1. Introduction

    • This privacy notice explains how and why FirstCare Limited, including each of its operating entities (also referred to as “FirstCare”, “we”, “our” and “us”) uses personal data concerning employees (referred to as “you”) in the provision of our absence management service to their employer (also referred to as “client” and “they”).
    • You should read this notice, so that you know what we are doing with your personal data.

 

2. FirstCare’s data protection responsibilities

  • “Personal data” is any information that relates to an identifiable person. Your name, date of birth and contact details are all examples of your personal data, if they identify you.
  • The term “process” means any activity relating to personal data, including, by way of example, collection, storage, use, consultation and transmission.
  • FirstCare is a "processor" of your personal data. Your employer remains the “controller” of your personal data. This means that they make decisions about how and why we process your personal data.

 

3. What types of personal data do we collect and where do we get it from?

  • We collect many different types of personal data about you. Some of it will be provided by you directly to FirstCare. Some of it will be provided to FirstCare directly by your employer. For full details please see the table below:

Ref:

Data

Type

Collected From

Controller:

1

Employee Ref

Mandatory

Your employer

Your employer

2

First name

Mandatory

Your employer

Your employer

3

Surname

Mandatory

Your employer

Your employer

4

Date of Birth

Optional

Your employer

Your employer

5

Gender

Optional

Your employer

Your employer

6

Hard of Hearing Status

Optional

Your employer

Your employer

7

Work Phone Number

Mandatory

Your employer

Your employer

8

Work Email Address

Mandatory

Your employer

Your employer

9

Position Reference Number

Optional

Your employer

Your employer

10

Position Job Title

Optional

Your employer

Your employer

11

Contracted Hours/Days

Mandatory

Your employer

Your employer

12

Employment Type

Optional

Your employer

Your employer

13

Employment Start Date

Mandatory

Your employer

Your employer

14

Absence Start Date

Mandatory

You

Your employer

15

Absence End Date

Mandatory

You

Your employer

16

Absence Type

Mandatory

You

Your employer

17

Disclosed Absence Reason

Optional

You

Your employer

18

Withheld Absence Reason

Optional

You

FirstCare

19

Absence Time Lost

Mandatory

You

Your Employer

20

Fit Note Dates

Optional

You

Your Employer

21

Current Symptoms/Illness

Optional

You

FirstCare

22

Medical History

Optional

You

FirstCare

23

Current Medications

Optional

You

FirstCare

24

Allergies

Optional

You

FirstCare

25

Contact Telephone Number for FirstCare communications

Optional

You

FirstCare

26

Contact Telephone Number for passing on to your employer

Optional

You

Your Employer

27

IP Address (Only processed if you have access to the myFirstCare portal)

Situational

You

FirstCare

28

Call Recording

Mandatory

You

FirstCare

 

  • Note that the option to share data items 21 to 24 with FirstCare is only available if your employer has purchased FirstCare’s ‘Complete Support’ service. If you are unsure which version of the FirstCare service your employer has purchased from FirstCare please contact your HR team.

 

  1. What do we do with your personal data, and why?
  • We process your personal data in order to facilitate the necessary, fair and consistent management of your unplanned absences from work, in line with the contract of employment that you have agreed with the employer.
  • Please note that FirstCare does not use your personal data for any form of automated decision making.
  • We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you and is used to analyse aggregated absence trends at your employer.

 

5. Who do we share your personal data with, and why?

  • We need to disclose your personal data to your employer in the form of absence notifications and reports, to enable them to manage your absence from work.
    • Please note that for data items 1 to 13 we are simply sharing data with your employer that they already control.
    • For data items 14 to 19, this information is shared with your employer and any additional representatives they have nominated (such as Occupational Health, Payroll or Health & Safety). 
    • Data items 21 to 25 and 28 are never shared with your employer or any other third party.
  • In the usual course of our business we may disclose your personal data (which will be limited to the extent reasonably necessary) to certain third party sub-processors that we use to support the delivery of our service. This may include the following:
    • Text Message distribution services for the issuing of absence notifications.
    • Overflow contact centres for use in business continuity and disaster recovery plans.
    • Where we utilise a third party sub-processor we ensure that they operate under contractual restrictions with regards to confidentiality and security, in addition to their existing obligations under Data Protection Laws.

       

    • On extremely rare occasions FirstCare may have cause to be significantly concerned for the immediate health and welfare of a data subject. In these scenarios, FirstCare, in the vital interests of the data subject, may share any appropriate and necessary data with an emergency service, or nominated emergency contact within the client organisation.

       

       

 

6. Where in the world is your personal data transferred to? 

  • Your personal data is stored at rest in the United Kingdom (UK) and is accessed by your employer via a secure online portal.
  • This portal is accessible anywhere in the world by users with an internet enabled device (subject to access controls that can be enforced by your employer).
  • The list of users who can access your data via the online portal is decided and maintained by your employer.

 

7. How do we keep your personal data secure?

We will take specific steps (as required by applicable data protection laws) to ensure we take appropriate security measures to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.

 

  1. How long do we keep your personal data for?

    • Your personal data for which FirstCare is a Processor will be kept on our system for 1 month following the termination of our service by your employer.
    • Your personal data for which FirstCare is a Controller will be kept on our system for 10 years following the termination of our service by your employer.

 

9. What are your rights in relation to your personal data and how can you exercise them?

  • You have certain legal rights, which are briefly summarised below, in relation to any personal data about you which we hold.
  • Where our processing of your personal data is based on you providing consent (to your employer for the data they control, or to FirstCare for the data we control), you have the right to withdraw your consent at any time, subject to any lawful requirements.
  • A brief summary of your rights are listed below, but we suggest you contact your employer for full details on how they intend to manage these processes.

Your right

What does it mean?

Limitations and conditions of your right

Right of access

Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”).

If possible, you should specify the type of information you would like to see to ensure that the disclosure meets your expectations.

We must be able to verify your identity. Your request may not impact the rights and freedoms of other people.

Right to data portability

Subject to certain conditions, you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.

 

If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.

This right only applies if the processing is based on your consent and it covers only the personal data that has been provided to us by you.

Rights in relation to inaccurate personal or incomplete data

You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help your employer keep your personal information up to date and we encourage you to notify them of any changes regarding your personal data as soon as they occur. Please also contact FirstCare if you suspect that any of the data we control is inaccurate or incomplete.

This right only applies to your own personal data and you cannot request changes to another person’s personal data. When exercising this right, please be as specific as possible.

Right to object to or restrict our data processing

Subject to conditions, you have a right to object to or ask your employer and FirstCare to restrict the processing of your personal data.

As stated above, this right applies where our processing of your personal data is necessary for our legitimate interests.

Right to erasure

Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.

As your employer is the Data Controller for your personal data you would need to direct this request to them. They will in turn direct FirstCare to delete your personal data where appropriate. Please note that we may not be in a position to erase your personal data if we need it to comply with a legal obligation.

Right to withdrawal of consent

As stated above, where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.

If you withdraw your consent, this will only take effect for future processing. You will also need to direct this request to your employer, who may cite legal or legitimate reasons to continue processing your personal data.

 

  • If you wish to exercise any of these rights please contact your appropriate individual (usually a Data Protection Officer) at your employer.
  • You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/
  1. Our legal basis for data processing

FirstCare is registered with the Information Commissioners Office and has taken great care to ensure that a legal basis can be established for the processing of the above data.

Lawful purposes:

Ref Lawful basis
1 Data subjects have given their explicit consent to the processing
2 It is necessary for the performance of a contractual obligation
3 It is necessary for FirstCare to comply with a legal obligation
4 It is necessary in order to protect the vital interests of the data subject or of another natural person
5 It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6 It is necessary for the purpose of the legitimate interests pursued by the controller or a third party

 

FirstCare's legal basis:

The table below indicates which of the 6 legal basis applies to each piece of data processed or controlled by FirstCare:

Ref Data Type Collected from Controller 1 2 3 4 5 6
1 Employee ref Mandatory Your employer Your employer
2 First name Mandatory Your employer Your employer
3 Surname Mandatory Your employer Your employer
4 Date of Birth Optional Your employer Your employer
5 Gender Optional Your employer Your employer
6 Hard of hearing status Optional Your employer Your employer
7 Work phone number Mandatory Your employer Your employer
8 Work email address Mandatory Your employer Your employer
9 Position reference number Optional Your employer Your employer
10 Position job title Optional Your employer Your employer
11 Contracted hours/days Mandatory Your employer Your employer
12 Employment type Optional Your employer Your employer
13 Employment start date Mandatory Your employer Your employer
14 Absence start date Mandatory You Your employer
15 Absence end date Mandatory You Your employer
16 Absence type Mandatory You Your employer
17 Disclosed absence reason Optional You Your employer
18 Withheld absence reason Optional You FirstCare
19 Absence time lost Mandatory You Your employer
20 Fit note dates Optional You Your employer
21 Current symptoms/illness Optional You FirstCare √*
22 Medical history Optional You FirstCare √*
23 Current medications Optional You FirstCare √*
24 Allergies Optional You FirstCare √*
25 Contact telephone number for FirstCare communications Optional You FirstCare
26 Contact telephone number for passing on to your employer Optional You Your employer
27 IP address (only processed if you have access to the myFirstCare portal) Situational You FirstCare
28 Call recording Mandatory You FirstCare

* Right to withdraw consent unavailable due to information being necessary for the legitimate interests pursued by the controller and being of vital interest to the data subject themselves.

Additional Considerations:

  • FirstCare are registered with the Information Commissions Officer.
  • FirstCare has in place an Information Security Management System (ISMS) which can demonstrate compliance with the six principles of the General Data Protection Regulations (GDPR).
  • FirstCare’s ISMS and processes have been reviewed by Eversheds for legal appropriateness and legitimate reasons exists for the processing of data.
  • None of the data recorded by FirstCare is used in automated decision-making or telemarketing.
  • FirstCare remains a Data Processor for all information provided to it by the client.
  • FirstCare is a Data Controller for the medical advice it provides, enabling it to confirm with the regulatory requirements of the Nursing and Midwifery Council (NMC)
  • The Data Subject (i.e. employees calling FirstCare) retains full control over the dissemination of their Sensitive Data, which will not be disclosed to any party without the employee’s consent.

 

  1. Updates to this notice

We may update this notice from time to time to reflect changes to the type of personal data that we process and/or the way in which it is processed. We will update you on material changes to this notice during your first call to FirstCare following the update.

 

  1. Data subject access requests and queries 

If you wish to make a Data Subject Access Request or exercise any of the other rights listed above, or have any questions about the fair processing of your data at FirstCare, please direct them to: dataprotection@firstcare.eu

 

Version 10 - Date Updated: June 8th 2018