Skip to content
  1. Introduction

    1. The General Data Protection Principles (GDPR), which comes into force in May 2018, increases the level of regulation surrounding the processing of information relating to individuals. The existing requirements under the Data Protection Act will be replaced by GDPR and thus this policy aims to ensure Nursefinders continued compliance with applicable legislation.

    2. GDPR is concerned with obtaining, holding, using or disclosing of personal data. This includes data gathered for various purposes, including but not limited to marketing, sales of goods or services, employment and research.

    3. In this policy, the Company is primarily concerned with the collection and processing of:

      1. Worker information;

      2. Client (Host Employer) information;

      3. Supplier information;

      4. Information provided to Nursefinders as a third party to enable us to deliver services to our clients, i.e. Information regarding their workers, suppliers and contractors.

    4. The legislation covers computerised records as well as manual filing systems.

    5. Nursefinders is committed to holding the minimum personal information necessary to enable it to perform its functions. All such information is confidential and therefore must be treated with care to comply with the law.

    6. Any breach of this Policy, whether deliberate, or through negligence may lead to disciplinary action being taken or even a criminal prosecution.

  2. Summary of Data Protection Principles

    1. The principles of GDPR state that personal data shall be:
      1. Processed lawfully, fairly and in a transparent manner in relation to individuals;

      2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

      3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

      4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;

      5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

      6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

    2. Nursefinders and all workers who process or use personal data must ensure that they abide by these principles at all times. This policy has been developed to help ensure this happens.
  3. Lawful Grounds for Processing Personal Data

    1. Lawful grounds for processing personal data include:
      1. Consent: Where the Worker/Client provides their express agreement to your obtaining and processing their personal data.

      2. A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employment contract.

      3. Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement, e.g. providing information to HMRC.

      4. Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).

      5. A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.

      6. Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.

    2. Where consent is considered the most appropriate way to demonstrate lawful processing of data, the Employer must also bear in mind that consent can be withdrawn by anyone listed in point 2.1.
    3. If the withdrawal of consent prevents the Employer from carrying out its legitimate business, then the consent was, in any case, arbitrary and therefore not an appropriate method of demonstrating lawful grounds for processing of data. In order for consent to be effective, it must be on the basis that the subject has real choice over how their data is collected and used.
  4. Individual Rights

    1. 4.1. The GDPR provides the following rights for individuals:
      1. The right to be informed;

      2. The right of access;

      3. The right to rectification;

      4. The right to erasure;

      5. The right to restrict processing;

      6. The right to data portability;

      7. The right to object;

      8. Rights in relation to automated decision making and profiling.

  5. Data Protection Officer

    1. Large scale data-processors, public authorities and organisations who process specific types of sensitive data, such as criminal convictions and offences, are required to appoint a Data Protection Officer (DPO).

    2. It is therefore not necessary for Nursefinders to appoint a DPO under the provisions of GDPR, however Nursefinders feel that such a role should be considered in the best interests of the business and the Registered Manager has been appointed as Nursefinders’ DPO.

    3. It is the responsibility of the Data Protection Officer to:

      1. To inform and advise the organisation and its workers about their obligations to comply with the GDPR and other data protection laws;

      2. To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; arrange GDPR training for staff and conduct internal audits;

      3. To be the first point of contact for supervisory authorities and for individuals whose data is processed (workers, clients etc.).

    4. It is NOT the responsibility of the Data Protection Officer to apply the provisions of the Data Protection Act or GDPR. This is the responsibility of everyone within the Company who are individual collectors, keepers and users of personal data. Therefore, all staff are required to be aware of the provisions of the Data Protection Act and GDPR, such as keeping records up to date and accurate, and its impact on the work they undertake on behalf of Company.

    5. Nursefinders will ensure that adequate resources are provided to enable the DPO to meet their GDPR obligations.

  6. Data Security

    1. Under the GDPR, Nursefinders staff plus our Clients and Suppliers are responsible for ensuring that:

      1. Any (reciprocal) personal data held, whether in electronic or paper format, is kept securely, particularly from casual observation.

      2. Personal information is not disclosed deliberately or accidentally either verbally or in writing to any unauthorised third party. If in doubt, do not disclose the information and check with our Data Protection Officer.

    2. Records will normally be kept for a minimum of 3 years following completion of any work or requirement for the information to be kept, or in the case of employment records, for a minimum of six years following the termination of the Worker’s employment with the Company.

  7. Subject Access Requests

    1. Staff, clients and suppliers have the right to access personal data that is being kept about them, insofar as it falls within the scope of the GDPR.

    2. Any person wishing to exercise this right should make their request in writing to the DPO

    3. The information will normally be provided free of charge, unless the request is manifestly unfounded or excessive, or it is repetitive. In such cases Nursefinders reserve the right to either:

    4. Charge a reasonable fee to cover the administrative costs associated with providing the information. If the Company considers it reasonable to charge a fee for providing

      1. Charge a reasonable fee to cover the administrative costs associated with providing the information. If the Company considers it reasonable to charge a fee for providing information, the Worker or data subject will be notified in advance of this, and payment will be required before the request is processed.
      2. Refuse to respond to the request by setting out, in writing, to the data subject, why they have refused.
    5. In the unlikely event that Nursefinders refuse to respond to a subject access request, the data subject has the statutory right to raise a complaint to the Information Commissioners Office (ICO). Nursefinders have been registered with ICO since 2003. (Ref No: Z7636722)

    6. Nursefinders aims to comply with a request for access to personal information as quickly as possible, but the company must comply with a subject access request within one month of receipt or the request, or if later, within one month of the receipt of the identity information required, the completed subject access request form and the relevant fee (if appropriate).

    7. Nursefinders will normally respond to such requests by electronic format, however if required, hard copies can be issued upon request.

  8. Breach Reporting

    1. The GDPR requires that any breach of security of personal data be reported to the relevant authority within 72 hours of becoming aware of the breach, where feasible.
    2. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, Nursefinders will also inform those individuals without undue delay.
    3. Nursefinders will also keep a record of any personal data breaches, regardless of whether we are required to notify any external authority.
  9. Information Held by Nursefinders

    1. Information held by Nursefinders may include - but is not limited to - the following:
    2. Application form.
    3. Candidate Checklist
    4. References
    5. Signed contract
    6. Training & Qualifications
    7. Notes of meetings including investigatory &/or disciplinary hearings.
    8. Payroll submissions NEST pension contributions
    9. Invoices/Statement of Accounts
    10. Email address
    11. Terms & Conditions of Business to Supply Agency Staff
    12. Equal Opportunities form
    13. Bank account details
    14. Forms of ID including photo
    15. Health Declaration form
    16. Supervision/Appraisal notes
    17. Nursefinders Staff profile
    18. Student loan deductions
    19. CQC reports
    20. Risk Assessments
    21. CV (if applicable)
    22. Signed Job Description
    23. Interview notes
    24. DBS (copy)
    25. Compliments & Complaints


This document conforms to our own Policies & Procedures and GDPR, but also complies with the Fundamental Standards set by the Care Quality Commission (CQC).