Panacea Pharmacy staff privacy notice

Optimus Health Limited (Trading as Panacea Pharmacy) is a ‘Data Controller’ under Data Protection Legislation, including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection Act 2018.

This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also notify the Information Commissioner about all of our data processing activity.

Panacea are registered to the Information Commissioner’s Office; registration number ZA482156

During the course of its employment activities, Panacea collects stores and processes personal information about prospective, current and former staff.

This Privacy Notice includes data collected and used for applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.

What types of personal data do we handle?

In order to carry out our activities and obligations as an employer we handle data in relation to:

• Personal details such as name, address, telephone number(s), email, date of birth;
• Personal demographics (including gender, race, ethnicity, sexual orientation, religion);
• Medical information including physical health or mental condition (occupational health information);
• Emergency contact(s), e.g. next of kin details;
• Education and training;
• Biometric data (including facial recognition used for clock in/out systems);
• Employment details (including job role, place of work, references and proof of eligibility to work in the UK, references and security checks);
• Information relating to the validity of an individual’s passport;
• Membership of professional bodies and/or trade union(s);
• Bank details, e.g. in order to pay your salary;
• Pension details;
• Offences (including alleged offences), criminal proceedings, outcomes and sentences;
• Employment tribunal applications, complaints, accidents and incident details;
• Visual images, e.g. photographs on staff notice boards or CCTV monitoring;
• Records of Trust systems use (e.g. audit trails of system access);
• Supervision and appraisal documentation, including performance information for the purposes of capability reviews;
• Records of staff vaccination status for flu, Covid-19 and other applicable vaccinations (both of staff who have been vaccinated and those who have not);
• Records of staff Covid-19 testing results and status;
• Sickness absence and annual leave details;
• Information relating to staff who are members of the Trust’s car parking scheme, including car registration number and entry/exit times. This information is issued to the Trust by Parking Eye and North Tees and Hartlepool Solutions.
• Information regarding conflicts of interest and secondary employment;
• Information relating to investigations of a disciplinary nature, which includes witness statements, notes of meetings, outcomes of the investigations and sanctions (where relevant);
• Information relating to health and safety;
• Information relating to you and your family where required for response to Pandemic planning and response

What is the purpose of processing data?

We only collect and use your information for the lawful purposes of administering the business of the Panacea. These purposes include:

• To undertake obligations and exercising specific rights in the field of employment, social security and social protection law;
• Staff administration and management (including payroll and performance)
• Pensions administration;
• Administration of salary sacrifice schemes;
• Business management, modelling and planning;
• Accounting and Auditing;
• Accounts and records;
• Crime prevention and prosecution of offenders;
• Education;
• Completion of local and national staff surveys;
• Verification of identity, including passports and processing of DBS (disclosure and barring service) applications;
• Health administration and services;
• To facilitate the management of healthcare systems and services
• To provide health protection services relevant to your employment;
• To support local and national flu and Covid-19 vaccination and testing programmes – for example we may share your vaccination / testing status that we store with your line manager, human resources and/or occupational health colleagues to contact you to provide relevant and appropriate health promotion, support and employee services where it is proportionate and relevant to do so or where we have a wider legal basis to do so for public interest or public health purposes;
• The provision and management of employee services (including occupational health, employee support wellbeing services and freedom to speak up);
• To allow the Trust to contact you to provide management, administration and employee services;
• To support the work of the Joint Forum;
• To publish declarations of conflicts of interest on the register available on Trust website;
• To keep images to identify you either as part of the various security access systems, including CCTV, or as part of an overall briefing system for senior managers;
• We may use footage from CCTV for training purposes but would pixelate individuals so they are non-identifiable;
• To allow the Trust policies to be implemented and acted upon when appropriate;
• Information and databank administration;
• Sharing and matching of personal information for national fraud initiative;
• To comply with the Transfer of Undertakings Protection of Employment (TUPE) Regulations;
• To facilitate the streamlining of NHS services;
• To comply with Public Health emergencies and requirements as your employer to protect you and your family

We may use your information in order to gather evidence for disciplinary and other staff processes. The use of this information will always be proportionate in relation to the evidence being sought.

What is our legal basis for processing?

We have a legal basis to collect and process this data as part of your contract of employment (either permanent or temporary) or as part of our recruitment processes, following data protection and employment legislation.

We do not rely on consent to use your information as a ‘legal basis for processing’ for the above purposes. We rely on specific provisions made under Article 6 and 9 of the General Data Protection (GDPR) regulations.

Personal Data

For entering into and managing contracts with employees the legal basis is:

• Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Where we have a specific legal obligation that requires the processing of personal data (e.g. informing HMRC of tax and NI, or for health and safety), the legal basis is:

• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
  Where we have a legitimate interest (e.g. sharing with partner organisations) for the processing of personal data, the legal basis is:
• Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

Special Category Data (sensitive data)

Where we process special categories data for employment or safeguarding purposes the condition used is:

• Article 9(2)(b) – processing is necessary for the purpose of carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law;
  Where we process special categories data to assess the working capacity and provide occupational and health services to our employees the condition used is:
• Article 9(2)(h) – processing is necessary for the purpose of preventive or occupational medicine

Additional specific purposes and legal basis:

Vaccination and Testing Programmes – Where we collect and process information relating to staffs vaccination and testing status and provide follow up, support and health promotion – the Trust rely on the legal basis set out above, however the Trust where deemed appropriate may also rely on Article 6(1)(d) – where processing is necessary in order to protect the vital interests of either the staff or another person; and Article 9(2)(g) or Article 9(2)(h) where deemed processing is necessary in the Public Interest or for public health purposes.

ESR Streamlining – Our legal basis for this purpose (as described further in the sharing section of this document) is Article 6(f) Legitimate Interests – NHS organisations in utilising the streamlining programme, have a legitimate interest in the effective and efficient transfer of employees from one NHS organisation to another by the transfer of certain personal data.

Marketing – To keep images that appear in PANACEA or other publications or websites to market and promote PANACEA – the legal basis for this is per Article 6 (a) – Consent. You should be aware that once you have approved your image to appear in a publication we may not be able to completely retrieve this image if you change your mind about its use. Your image may appear again at a later date unless you specifically indicate otherwise.

Communication of critical messages – In order to utilise all communication methods available, key corporate messages may be sent via SMS to staff personal mobile phones with your consent. If you wish to receive these key messages on your personal phone, you would need to add your number to the Trust’s telephone book, which can be accessed via the main SharePoint site under the tab ‘Phonebook’. You can easily ‘opt in’ or ‘out’ by adding/deleting your mobile number from the field named ‘SMS Opt in Service’ at any time. Once your number is added here this will only be visible to yourself and a small number of staff who administer the system, it will not be visible to other staff across the Trust. Only messages deemed critical or of high importance will be shared in this way and we will endeavour only to send these messages during daytime / working hours.– if you ‘opt in’ to this service the legal basis we will use to process your data this way is per Article 6 (a) – Consent.

Legal Proceedings – We may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
• Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

Where we process special categories of personal data for these purposes, the legal basis for doing so is:

• Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
• Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

Disclosure and Barring Service (DBS) – Information relating to criminal convictions and offences are processed in accordance with GDPR Article 10 provisions and only where required, for example under the provisions of the Safeguarding Vulnerable Groups Act 2006 as the basis for Disclosure and Barring Service (DBS) checks and other processing of such data.

The legal basis for any other use will be explained at the point of collection within the relevant statutory provisions.

How do we keep information safe?

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in a hardcopy or electronic format.

All of the Information Systems used are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by us are influenced by a number of sources including the 10 National Data Guardian Standards and guidelines produced by NHS Digital and other Government standards.

Your information is stored in both paper (personnel files held by Human Resources and/or your line manager) and also electronically on ESR. Other temporary files may be created as a result of investigations, disciplinary investigations, occupational health reviews or complaints but these will usually be kept separately from the personnel file or destroyed in line with the agreed destruction criteria. If a sanction is applied, it will be noted on the personnel file.

Everyone working for Panacea is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised and consented to, unless it is required or permitted by the law. Our staff are trained to handle your information correctly and protect your confidentiality and privacy.

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.

We also protect your information by following data protection laws:

• General Data Protection Regulation (GDPR)
• Data Protection Act (DPA) 2018

The GDPR and DPA are the laws that primarily determine how we can use your personal data. However, there are other laws that are followed if we need to process your information:

• The Human Rights Act 1998
• Freedom of Information Act 2000
• Computer Misuse Act 1998
• Audit Commission Act 1998
• Regulation of Investigatory Powers Act 2000

If you post or send offensive, inappropriate or objectionable content anywhere on the organisations website, Facebook, Twitter or any other official social media page, or otherwise engage in any disruptive behaviour we may use whatever information is available to us, about you, to stop such behaviour.

Do we process information overseas?

On occasions your data may be processed outside the UK, in most circumstances it will remain within the European Economic Area (EEA). The same protection would be applied as if processed within this country. If your data is transferred outside the EEA we are required to comply with the Data Protection Act, and ensure there is adequate protection is in place ensuring that appropriate and suitable safeguards and binding contractual clauses are in place.

Data collected will not be sent to countries where the Laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with legal requirements.

How long do we retain information?

Employment data will be retained in compliance with the Records Management Code of Practice for Health and Social Care 2023 which details retention periods for employment records. This is available on the NHS England website at NHSE Records Management CoP 2023 and in Trusts Records Management Policy

We keep CCTV images for 28 days from the day of capture.

Who do we share information with and why?

There are a number of reasons why we share information. This can be due to:

• Our obligations to comply with legislation;
• Our duty to comply with any Court Orders which may be imposed;

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons or where we have another legal basis to share.

We will not routinely share any information about you to anyone outside the organisation without your consent. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.

We may obtain and share personal information with a wide variety of other bodies, which may include, but is not limited to:

• His Majesty’s Revenue and Customs (HMRC);
• Department for Work and Pensions (DWP);
• Disclosure and Barring Service (DBS);
• Home Office;
• Child Support Agency;
• Regulatory bodies, e.g. NMC, GMC;
• Law enforcement agencies including the Police and the Serious Organised Crime Agency;
• NHS Business Services Authority – National NHS Electronic Staff Record (ESR) system.
• NHS England, NHS Improvement and NHS Digital.

We may also use the information we hold about you to detect and prevent crime or fraud and where appropriate and where we have a legal basis share with relevant agencies. We may also share this information with other bodies that inspect and manage public funds.

Data Processors – we have entered into contracts with other organizations to provide services for us. These contractors are known as ‘Data Processors’ and subject to the same legal rules and conditions for keeping personal information confidential and secure.

We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached

To enable effective staff administration Panacea uses North Tees and Hartlepool NHS Foundation Trust (NTHFT) as a data processor to process your data on our behalf for payroll, human resource services, occupational health services, training services and the provision of information technology services in order to comply with our obligations to you as an employer.

University Hospital Tees (UHT) – NTHFT have formed University Hospital Tees (UHT) with South Tees Hospitals NHS Foundation Trust. UHT will allow both organisations to facilitate the management of healthcare systems and services across the UHT. Whilst part of the collaboration, NTHS will remain data controller in their own right and NTHFT will only share or process personal data of employees in accordance with the contract with NTHFT and has legal basis to do so.

Electronic Staff Record – On commencement of employment with the Trust, your personal data will be uploaded to the Electronic Staff Record (ESR). ESR is a workforce solution for the NHS which is used by the Trust to effectively manage the workforce leading to improved efficiency and improved patient safety.

Streamlining – Streamlining is the process by which certain personal data is transferred from one NHS organisation to another when your employment transfers. NHS organisations have a legitimate interest in processing your data in this way in establishing the employment of a suitable workforce. The streamlining programme is a data sharing arrangement which is aimed at improving efficiencies within the NHS both to make costs savings for Trusts but also to save you time when your employment transfers.

Disclosure and Barring checks/information (DBS) – Given the nature of our organisation, DBS requirements may apply to our employees. We are required to carry out DBS checks for all clinical roles, other regulated roles and for any roles that involve contact with patients in the course of your normal duties. In all cases, we carry out the checks in line with the applicable law. For clinical and other regulated roles, the DBS checks will be repeated periodically during the course of employment in line with PANACEA processes.

We will always treat DBS information as confidential and it will only be shared internally where there is a specific and legitimate purpose to do so. We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure.

DBS information will be deleted once the applicable checks have been completed subject to any exceptional circumstances and/or to comply with particular laws or regulations. DBS information will typically be retained for a maximum of 6 months, although the outcome of any check will remain on the employee’s record.

Freedom to Speak Up – Speaking up confidentially to the Freedom to Speak Up Guardian is when a member of staff reveals their identity on the condition that this will not be shared without their consent. It is important to understand that confidentiality can be preserved except where it is required to be disclosed by law. In some cases, for example, where a person has already shared information or where the facts of the case may enable others to identify them, maintaining confidentiality may be impossible. This will be discussed with the staff member and a range of means will be considered to ensure identity is protected even when further action is needed such as an investigation into the matter raised. The Freedom to Speak Up Guardian will share basic data to the National Guardian Office on a quarterly basis which are numbers of cases based on specific themes only.

What are your rights as an individual?

Data Protection law gives individuals rights in respect of the personal information that we hold about you and these apply in circumstances where the relevant conditions are met.

These rights are, the right:

1. To be informed why, where and how we use your information.
2. To ask for access to your information.
3. To ask for your information to be corrected if it is inaccurate or incomplete.
4. To ask for your information to be deleted or removed where there is no need for us to continue processing it.
5. To ask us to restrict the use of your information.
6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
7. To object to how your information is used.
8. To challenge any decisions made without human intervention (automated decision making)
9. To lodge a complaint to the supervisory authority – Information Commissioners Office (ICO)

For further information on your rights please visit the ICO website or contact the Data Protection Officer.

How can I access my information?

You can request access to the information that we hold about you and you should do this by approaching your line manager in the first instance. They will provide you with guidance on the process.

Your request, once agreed with you, will be completed within one calendar month. However, if your records are extensive we may take longer to process your request but will inform you from the outset.

As well as receiving a copy of the information that we hold and processes, you are also entitled to the following:

• To be told whether any personal data is being processed.
• Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people.
• Given a copy of the personal data together with its source (where this is available).

What if I have concerns about how Panacea is handling my data?

The Data Protection Officer (DPO) is the person to contact if you would like to know more about how we use your information, if you require information in any accessible format or language, you wish to make a complaint or if (for any reason) you do not wish to have your information used in any of the ways described and to exercise your rights.

Should you wish to lodge a formal complaint about the use of your information you can also contact your line manager or the Human Resources Department either by phone (see internal telephone directory), in person or in writing:

Human Resources Department (NTHFT) Floor 3, North Wing University Hospital of North Tees Hardwick Road Stockton-On-Tees TS19 8PE

Whilst we ask that, you allow us time to address your concerns and that you come to us first, you also have the right to lodge a complaint with the supervisory authority directly if you are not content with the outcome of your confidentiality and data protection complaint and/or concern raised with the Trust.

You can contact the Information Commissioners Office (ICO) at:

Further Information

Should you have any further queries on the uses of your information, please speak to our Data Protection Officer, your line manager or to Human Resources.

Changes

It is important to point out that we may amend this Privacy Notice from time to time to ensure that you can stay in control of your data and you should check regularly for any changes.

Date Last Updated 30/09/2025