01 / 10 / 2019
Watch this webinar from the Step into Health programme which gives a full overview of the new candidate monitoring system, including a demonstration of how the system will work, and an overview of the data sharing agreements that will need to be in place.
The speakers are:
- Chair: Olivia Desmond, Step into Health programme, NHS Employers
- Stephen McCarroll, Cite digital agency
- Rob Stead, Data protection manager, NHS Employers
Download a copy of the webinar slides.
To take forward your ongoing commitment for Step into Health we ask you to review the documents below and return the joint controller and information sharing agreement and the 2019 pledge certificate as soon as possible. We will then grant you access to the system.
Answers to questions asked during webinar:
Will there be an option for them to opt out, or are they automatically signed up?
Users invited to sign up to Step into Health must complete the registration form before their details are saved. If a user ignores the invitation email and does not register within defined period the system will delete their details.
Is there likely to be any children's (under 18) data - cadets?
No, the system is only intended to be used by persons over 18 years old, specifically those in the adult armed forces community and NHS staff.
Presumably once a candidate has been placed their information is no longer available to all participating organisations, only their employer and NHS Confed?
When a candidate has been placed in employment or declared they are no longer interested, their record becomes viewable only to NHS Confed users and hidden to all other NHS organisations.
Does the system have access audit capability? Although data are special category, financial info often considered confidential and candidates may consider that we have a duty of confidence to their contact details and 'fact' of them being registered on the site.
No financial information will be recorded on the tool. The system has a chronological audit trail of user logins which are date/time stamped.
Is NHS Confed promoting this service through all the Armed Services?
Yes – to go alongside the launch of the tool we have a full comms plan to promote within the Armed Forces community. Any messaging via social media routes or websites can be shared by all employers.
Is there any measurement of uptake as a result of any promotional activities on Step into Health?
The tool will enable us to track where members of the Armed Forces community heard about Step into Health.
Has there been any feedback from the Armed Forces about this project?
Yes – we have engaged with them throughout the design process to ensure the tool meets their needs.
As there is no link to NHS Jobs or TRAC, are we not in danger of double entry or reporting?
Currently we are not exploring a link to TRAC/NHS Jobs as the majority of the interventions recorded by our tool will cover the pre-employment side of a candidates journey. Once they apply for roles and are offer TRAC/NHS Jobs adequately cover this.
Will usernames/passwords be emailed to us?
Yes – once we have organisations returned pledge certificates and data sharing agreements we can send these over.
What prevents a member of the general public from registering and using this tool?
We will be spot checking the information provided by those registering with the tool. The questions asked at registration plus our comms messages should limit this from happening.
The data sharing agreement states that organisations are joint controllers and the majority of them are public authorities, so are you indicating that despite being joint controllers there should be different legal basis applied?
It is not uncommon for joint controllers to have different legal basis. I mentioned the example of police and local authorities to use CCTV images for different purposes. NHS Confed will use legitimate business interests.
What is a ghost record?
A ghost account is defined in the DPIA (describe scope of processing). A ghost record is snapshot of a user who has been registered on the system at some point but contains no identifiable or personal information. The ghost record only contains information that supports reporting purposes such as whether the user took part in a work placement or fulfilled a position within the NHS. This is to ensure the system is only storing relevant information on users, while anonymising personal data.
Why is there a reference to a retention period being subject to legal requirements where it would be difficult to determine what they are?
(Privacy Notice) This is standard wording on NHS Confed websites. Unless the NHS Confed was acting as an employer it is unlikely that there are any legal requirements.
Are you expecting the joint controllers to publish privacy notices in line with the NHS Confed one or can we do our own?
The NHS Confed privacy notice is specific to this website. I would expect that your own recruitment privacy notice will describe how candidate data is processed.
Why would a subject access request be required when a candidate can see all of the information about them in the system?
A subject access request is a requirement of data protection legislation. The subject is requesting to see all the data that may exist, not just that on the tool, an organisation holds.
How would you police the system for negative comments placed in the records?
We will have a code of conduct attached to the tool, guidelines for employers to operate within. As the NHS operates under a culture of respect we would hope that all comments would have a constructive nature. Any inappropriate comments can be reported to the NHS Employers team.
For those organisations that currently keep our own databases can we transfer this to the new database?
Yes – you will be able to quick register people onto the new tool as shown in the demonstration. All data of outcomes that has been provided to NHS Employers historically will also be added in.
When the website is redesigned will we still be able to advertise our information days?
The website functionality will not change. Information days will still be able to be advertised but we are looking to enhance the careers information available to potential candidates.
Are the Armed Forces staff made aware that we will be sharing their data as part of this service?
Yes, as part of the registration process we will ask them to agree to their data being shared and how it will be used.
Can an authorised signatory be added to the agreement alongside the single point of contact?
The single point of contact will be using the system and ensuring the data sharing agreement is being followed. They can sign on behalf of the employer as long as that follows the employer’s processes.