Data Protection and Privacy

Privacy Notice

This explains how Suffolk County Council Human Resources uses employee and job applicant information.

The categories we collect, process, hold and share include:

  • personal information (such as name, address, next of kin and bank details)
  • vehicle information (such as make, model and registration)
  • characteristics (such as ethnicity, sexual orientation and religion / belief)
  • qualification and skills information (such as qualification dates)
  • previous employment records (such as date of employment and reasons for leaving)
  • sickness and medical information (such as periods of and reasons for absence and occupational health referrals and reports)
  • performance information (such as PDR objectives and outcomes / 9 box grid placement)
  • employee relations information (such as disciplinary, grievance and capability casework)
  • COVID-19 purposes which include; employee Screening Questionnaires, contact tracing and vaccinations
  • Records of individual’s access to SCC building via ID card / WINPAK system.

Why we collect and use this information

We use employee / applicant data to:

  • enable us to carry out specific functions for which we are responsible
    • running payroll (including paying mileage and expenses, SSP, SMP)
    • statutory reporting
    • maintaining employment records
  • produce anonymous statistical information (such as characteristics of employees and / or applicants)
  • longlist, shortlist and make decisions about applicants suitability to undertake a specific role
  • produce anonymous reporting about the organisation (such as absence reporting)
  • manage sickness, disciplinary, grievance, capability, conduct and other employee relations casework
  • support occupational health referrals
  • provide staff benefits to employees
  • undertake safeguarding and pre-employment checks (such as Disclosure and Barring Service (DBS) check)
  • undertake staff surveys
  • comply with local and national workforce requirements during the Covid-19 pandemic.

The lawful basis on which we use this information

We have a lawful basis to collect, process, hold and share this information, as detailed in paragraphs 1 b) and 1 c) and (e) of Article 6 of the General Data Protection Regulation (GDPR), as detailed below:

  • b) UK GDPR, Article 6 (b) - processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
  • c) UK GDPR Article 6(e) - public task (Covid-19 purposes) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and for the processing of special category data, Article 9(2)(i) (Public Health);
  • d) Consent – for processing information about staff who have volunteered to administer Covid-19 vaccinations and explicit consent for processing sensitive data required from volunteers for this purpose;
  • e) UK GDPR, Article 6 (c) - processing is necessary for compliance with a legal obligation to which the controller is subject;

Collecting this information

Whilst the majority of employee / applicant information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with data protection legislation, we will inform you whether you are required to provide certain information to us or if you have a choice in this.

Storing this information

We hold your data for the following periods:

  • Applicant data is held for one year following an unsuccessful job application.
  • General employee data (personal, vehicle, characteristics, qualification and skills), previous employment records and performance is stored for the duration of the individual’s employment, plus seven years.
  • Absence data and medical records are stored for the current year, plus two years, except for health surveillance records which are kept for up to 40 or 50 years, depending on which type of record they are.
  • Employee relations case files (disciplinary, grievance, capability and conduct) are stored for two years, unless a different retention period is identified as part of the outcome of the case. 
  • COVID-19 Screening Questionnaire information is held for as long as required to manage the staff risks associated with COVID-19.
  • Staff accessing SCC buildings data is held for 1 year.

In addition to the records held by HR, line managers will hold local data in relation to managing employees and these records will be stored for two years.

Who we share this information with

We routinely share employee / applicant information with:

  • the Office of National Statistics (ONS) on a statutory basis under section 1 of Statistics of Trade Act 1947
  • Her Majesty’s Revenue and Customs (HMRC) on a statutory basis under
    • the Income Tax (Pay As You Earn) Regulations 2003 (SI 2003/2682);
    • the Social Security (Contributions) Regulations 2001 (SI 2001/1004); and
    • the Income Tax (Construction Industry Scheme) Regulations 2005 (SI 2005/2045)
  • Child Maintenance Service on a statutory basis under the 1993, 2003 or 2012 Child Maintenance Schemes
  • Duradiamond Healthcare, our Occupational Health provider, on a contractual basis as part of pre-employment checks, management or ill health retirement referrals detailed in our Sickness Absence policy
  • Sodexo Holdings Limited, our staff benefits provider, on a contractual basis to provide staff benefits to employees
  • Tuskerdirect Limited, a staff benefit provider, on a contractual basis to provide a salary sacrifice car scheme to employees
  • BMG Research, an independent research agency, on a contractual basis to provide our staff survey
  • Kent County Council, our criminal records check provider, on a statutory and contractual basis to undertake DBS checks on our behalf
  • Learning Pool Limited, our e-learning provider, on a contractual basis to allow access to our e-learning platform
  • KCS Professional Services on a contractual basis to provide our lease car scheme. KCS Professional Services routinely shares your information on a statutory basis, with other public agencies or enforcement agencies such as Police Forces, Dart Charge, Local Authorities for the purposes of transferring liability for any fees, fines or penalties relating to traffic offences during the period of your contract
  • CTM (North) Limited on a contractual basis to provide a business travel booking service to employees. 
  • Essex Partnership University NHS Foundation Trust (EPUT) on a consent basis for staff volunteering to assistant with the COVID-19 community vaccination programme. 
  • The NHS on the basis of public task to prepare and offer COVID-19 vaccinations to our Critical Staff.
  • NHS Test and Trace on the basis of public task tracing for staff working in our buildings.

We will share employee information with third parties as part of Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE), the data provided will be in two parts:

  • Anonymised data detailing staff numbers, staff absences, numbers and kinds of employee relations cases. This data forms part of the initial due diligence relating to any TUPE transfer and will be shared with any third party with a specific interest in transferring staff as part of a commercial or procurement project
  • Specific “employee liability information”, including but not limited to:
    • the identity of the employees who will transfer;
    • the age of those employees;
    • information contained in the ‘statements of employment particulars’ for those employees;
    • information relating to any collective agreements which apply to those employees;
    • instances of any disciplinary action within the preceding two years taken by the transferor in respect of those employees in circumstances where the Acas Code of Practice on discipline and grievance applies;
    • instances of any grievances raised by those employees within the preceding two years in circumstances where the Acas Code of Practice on discipline and grievance applies; and
    • instances of any legal actions taken by those employees against the transferor in the previous two years, and instances of potential legal actions which may be brought by those employees where the transferor has reasonable grounds to believe such actions might occur.
This data forms part of the due diligence relating to a TUPE transfer and will be shared with the third party identified as the future employers of staff after the transfer, following or as part of a commercial or procurement activity.

In both cases the information will be provided as part of our statutory obligations detailed in Regulation 11 of the Transfer of Undertakings (Protection of Employment) Regulations 2006. Other data sets may voluntarily be provided as part of the TUPE process.

Why we share this information

We share employee / applicant data with the third parties detailed above in order to meet statutory or contractual requirements.

Data collection requirements

To find out more about the data collection requirements placed on us by the ONS and HMRC go to:

Both the ONS and HMRC may share information about employees / applicants for

  • conducting research or analysis
  • producing statistics
  • providing information, advice or guidance

The ONS and HMRC have robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data.

Decisions on whether Human Resources releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

  • who is requesting the data
  • the purpose for which it is required
  • the level and sensitivity of data requested: and
  • the arrangements in place to store and handle the data.


To be granted access to employee / applicant information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.


Requesting access to your personal data


Under data protection legislation, individuals have the right to request access to information about them that we hold. To make a request for your personal information email

You also have other rights regarding your personal data which are set out in Suffolk County Council's corporate Privacy Notice, which can be accessed via this link to Suffolk County Council's privacy and data protection page.

If you have a concern about the way we are collecting or using your personal data, please contact us in the first instance, by writing to the Data Protection Manager at Constantine House, 5 Constantine Road, Ipswich IP1 2BX or by e-mailing


Alternatively, you can contact the Information Commissioner’s Office.

Further information

You can follow this hyperlink to view Suffolk County Concil's corporate privacy notice.

If you would like further information about this privacy notice, please click this link to email

We process data submitted through Suffolk Jobs Direct and recorded on iTrent on behalf of our partners; Mid Suffolk District Council, Babergh District Council, Suffolk Coastal District Council, Waveney District Council, South Norfolk Council and Schools' Choice. For details of their privacy statements, please follow the below hyperlinks: