This Privacy Statement applies to you if you work for us, are engaged as a contractor or freelancer, or are working for us under a secondment arrangement. All references to “employment” within this  Privacy Statement refer to employment with NASP under a contract of employment, contract for services and/or secondment agreement.   

Who we are 

In this Privacy Statement, the words ‘we’, ‘us’, ‘our’ or ‘National Academy for Social Prescribing’ refers to the National Academy for Social Prescribing, whose registered address is Southbank Centre, Belvedere Road, London SE1 8XX. 

If you have any queries or questions about this Privacy Statement or how we use your personal data, please get in touch by emailing datamanagement@nasp.info. 

Our Privacy Statement 

The National Academy for Social Prescribing is a data controller of the personal data we process about you in relation to your employment with us. This means that we are responsible for deciding how we hold and use personal information about you. This Privacy Statement, which we are required by law to provide, explains what personal data we collect about you, how and why we use it, and explains your rights in relation to your personal data.  

This Privacy Statement does not form part of your contract of employment or any other contract in place to provide services. We may update this Privacy Statement at any time but if we do so, we will provide you with an updated copy of this Privacy Statement as soon as reasonably possible. 

It is important that you read and retain this Privacy Statement, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation. 

What personal data do we collect? 

Personal data means any information which identifies and relates to you (or from which you can be identified) for example your name and contact details. It does not include data where the identity has been removed (anonymous data). There are also certain types of more sensitive personal data which require a higher level of protection, such as information about a person’s health or sexual orientation (known as special category personal data). Information about criminal convictions also warrants this higher level of protection. 

In connection with your employment with the National Academy for Social Prescribing, we will need to collect, store, and the use the categories of personal information about you and your working relationship with us. We will only collect the personal data we need and most of the personal data we collect is provided directly by you although personal data may also be provided to us by third parties, such as recruitment agencies, former employers, official bodies (such as regulators). For more information on the types of personal data we collect in relation to recruitment, please see our Privacy Statement – Recruitment. 

The personal data we may collect include: 

  • [personal contact information (including your name, home address, personal telephone number(s) and personal e-mail address)  
  • general personal information, including your date of birth, gender, nationality, photograph, marriage/ partnership status and any dependants * 
  • employee information including your job role, job banding, employee number, length of service and working arrangements (i.e. working hours, part time arrangements)* 
  • information require to facilitate payment to you, including details of your salary, bank account details, NI number, and any necessary tax reporting information * 
  • details of any leave you are entitled to, or have taken (including holiday, sickness absence and carers leave) * 
  • details of any performance management, grievances, disciplinary processes* 
  • employment history and other relevant experience 
  • information relating to professional memberships, qualifications and training (including, but not limited to professional revalidation)  
  • reference information and information received from background checks including information provided by third parties  
  • your right to work in the UK (including a photocopy of your passport or other immigration document)* 

 Some of the data we collect about you might include special category personal data, which is data relating to: 

 Physical or mental health, including any disabilities* 

  • [Racial or ethnic origin* 
  • Political opinions* 
  • Religious or philosophical beliefs* 
  • Trade union membership* 
  • Genetic data* 
  • Biometric data* 
  • Sexual orientation and sex life*] 

 The list set out above is not exhaustive, and there may be other personal data which we collect, store and use in the context of our employment activities. In particular, we do collect information for equality, diversion and inclusion purposes, but this is held in statistical, fully anonymised format only and so is not considered personal data (as you cannot be identified from it).  As above, we will update this Privacy Statement to reflect any notable changes in the categories of personal data which we process.  

How we use your personal data 

We may use your information for a number of different purposesWe have set out below the main purposes for which your personal data is processed in the below table:  

  • Purpose of processing  

We will process your personal data for the following purposes: 

  • Paying you and, if you are an employee or deemed employee for tax purposes, deducting tax and National Insurance contributions. 
  • Enrolling you in a pension arrangement in accordance with our statutory automatic enrolment duties. 
  • Liaising with the trustees or managers of a pension arrangement operated by a group company, your pension provider and any other provider of employee benefits. 
  • Administering the contract we have entered into with you. 
  • Business management and planning, including accounting and auditing. 
  • Conducting performance reviews, managing performance and determining performance requirements. 
  • Making decisions about salary reviews and compensation. 
  • Assessing qualifications for a particular job or task, including decisions about promotions. 
  • Gathering evidence for possible grievance or disciplinary hearings. 
  • Making decisions about your continued employment or engagement. 
  • Making arrangements for the termination of our working relationship. 
  • Education, training and development requirements. 
  • Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work. 
  • Ascertaining your fitness to work. 
  • Managing sickness absence. 
  • Complying with health and safety obligations. 
  • To prevent fraud. 
  • To monitor your use of our information and communication systems to ensure compliance with our IT policies. 
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution. 
  • To conduct data analytics studies to review and better understand employee retention and attrition rates. 
  • Equal opportunities monitoring. 

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.  

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. 

  • Lawful basis 

 We will only use your personal information when the law allows us to. This means we must have a ‘lawful basis’ for doing so under Article 6 of the UK GDPR. Our lawful basis will vary depending on the purpose, but the lawful bases we generally rely on are: 

 Article 6(1)(b) – Performance of a contract – to carry out our obligations arising from your employment or other contract entered into between you and us; 

  • Article 6(1)(f) – Legitimate interests – where we have a legitimate interest to process your personal data for purposes related to the advancement of social prescribing through promotion, collaboration and innovation, to help us improve, to listen to feedback 
  • Article 6(1)(c) – Legal obligation – in some circumstances we may need to process your personal data to comply with a common law or statutory legal obligation, for example, where our regulators require us to hold certain records of our dealings with you.] 

 Where we process special category data, such as health data, as well as one of the above lawful bases, we must also have an additional lawful basis under Article 9 of the UK GDPR. The additional lawful bases that we most commonly used for processing special category personal data are: 

 Article 9(1)(b) – Employment – processing is necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment 

  • Article 9(1)(h) – preventative or occupational medicine– the use is necessary for the purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis  
  • Article 9(1)(h) – Legal claims – where we need to use such personal information to establish, exercise or defend our legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves. 

How we share your data and who with 

 We may need to share your personal data with others. If that is the case, we will keep your personal information confidential and only share it with organisations for the purposes explained in the previous section. We also ensure that we have contracts in place with our suppliers, and that the contract includes the required data protection provisions.  

For example, we may need to share data with the following: 

  • legal advisors, accountants and other professional advisers 
  • auditors and professional service firms who act on our behalf
  • HMRC and/or any other applicable government bodies  
  • other organisations when providing references/secondment data
  • occupational Health providers 

Where required, we may share your data to other organisations for the prevention and detection of crime, including for fraud detection and/or prevention purposes, or where we are legally required to share your data.  

Your duty to inform us of changes 

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us 

How long we retain your personal data 

We will only hold your personal data for as long as it’s needed for the purpose we collected it for. The precise period of time will depend upon the particular information, what we are using it for and any legal or statutory requirements. We maintain a Data Retention Policy which includes details of our agreed retention periods for specific types of information, including the amount of time for which we process information relating to your employment.  

Once you are no longer an employee, worker or contractor of National Academy for Social Prescribing we will retain and securely destroy your personal information in accordance with our Data Retention Policy  and applicable laws and regulations.  A copy of the Data Retention Policy can be provided on request, but if you would like more information about our data retention practices, please contact us by emailing datamanagement@nasp.info 

International Data Transfers 

Sometimes we, or third parties working on our behalf, may need to transfer personal data outside of the UK. If that is the case, we will take the necessary steps to ensure that appropriate safeguards are in place. Some transfers may be to countries that are considered to have adequate levels of protection, such as those in the European Economic Area. For transfers to other countries, we may put contracts in place with the party to whom we are sending information. 

If you would like further details regarding international transfers, please contact us by emailing datamanagement@nasp.info 

How we protect your personal data  

We take the security of your personal data seriously and use technical, organisational and physical security measures to protect your personal data. Unfortunately, the transmission of information via the internet is not completely secure.  Although we will do our best to protect your personal data, we cannot guarantee the security of data that you transmit to our site; any transmission is therefore at your own risk. 

We also provide appropriate training to our employees to help us comply with our data protection obligations 

Automated decision-making 

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.   

Your Data Subject Rights 

You have a number of legal rights under data protection laws including: 

  • Access to your personal data – you can ask us to provide a copy of your information together with specified details about how we use your personal data 
  • Rectification – If you believe that your personal data is inaccurate, incomplete or out of date, you may ask us to rectify it 
  • Erasure – in certain circumstances, you may have a right to request erasure of your personal data but this is not an absolute right 
  • Restricting processing – you may ask us to restrict or suppress the processing of your personal data in certain circumstances 
  • Data portability – in some cases, you have a right to move, copy or transfer certain personal data that have been provided by you to another organisation  
  • Objection – you can object at any time if you want us to stop sending you direct marketing. You can also object for some other types of processing in certain circumstances. 
  • Automated decision making and profiling – you have the right not to be subject to decision-making or profiling which is based on automated process, unless certain criteria are fulfilled.  However, as confirmed above we do not undertake any automated processing. 
  • Withdrawal of consent – if our legal basis for processing your personal data is consent, you may withdraw your consent at any time 

 Many of these rights are not absolute or may be subject to exemptions in certain circumstances. 

 If you wish to exercise any of these rights, you can contact us by emailing datamanagement@nasp.info  

You may also find further information about your rights using the Information Commissioner’s Officer (ICO) website: https://ico.org.uk/your-data-matters/ 

If you are not happy with how we handle your personal data, please contact us by emailing datamanagement@nasp.info  You may also choose to make a complaint to the ICO 

Updates  

This Privacy Statement is updated from time to time, for example if a change is needed due to legal requirements or a change in processing activities. Please check this page from time to time to see the current version. 

We last updated this Privacy Statement on 27th September 2021.