Patchwork has to handle personal data about temporary workers and the staff of their employers.
This page explains what personal data we handle and why we do so.
Colloquially, “locum” means a clinician working temporary shifts for an employer such as an NHS hospital. On this page, we say “locum” in the general sense to mean anyone who substitutes temporarily for another member of the same profession.
(For the legal eyed reading this, words in bold say the legal basis of the GDPR under which we are legally the controller of all data which you supply directly to Patchwork. Where your employer supplies Patchwork data, we are the processor.)
Here’s the personal data we handle starting when…
1. Locum applies to work for an employer/multiple employers (note Patchwork is not the employer)
When a locum applies to work at an employer/s we handle this personal data about them:
- Email, password, cookies – to identify themselves to Patchwork
- Name, data of birth – to match against existing Electronic Staff Records
- Passport – required for photo identification, as medicine is a regulated industry
- Right to work documents – if Passport doesn’t give right to work
- Disclosure and Barring Service (DBS) – required by law and Government policy
- GMC number – for identification with official register of medical practitioners
- Proof of qualifications – ultimately, so can book only shifts they’re qualified for
Where a locum applies to work at for one employer, data will only be shared with that employer.
Where a locum applies to work for a number of employers who are working together as part of a collaborative approach or consortium, data will be shared with all employers to allow them to consider the application.
We do this to fulfil the contract between the locum and the employer (employment application).
Note that we give this information (except password and cookies!) to the employer’s HR team that the locum is applying to work at. We keep a history of rejected applications so the employer has a record for disputes and fraudulent applications.
We also store the same personal data so that the locum can more easily apply to other employers. This is by consent of the locums, and they can request deletion of the data at any time.
1.1 Lawful basis for processing
We process the data on Shifts booked, cancelled and signed-off to give Employers the information they need to make decisions on Shift Approvals, auto booking preferences and more.
2. Locum books a shift
After a locum is activated as working at an employer, we handle this personal data about them:
- Name, password, cookies – to identify themselves to Patchwork
- Mobile notification keys – for in-app push notifications about shifts
- Grade and specialities – so they can only book shifts they’re qualified for
- Shifts they have booked to work on
- Departments they are assigned to
- Whether they are a preferred locum – so don’t need approval when booking shifts
We do this to fulfil the employment contract between the locum and the employer. Of course the employer HR team has access to this information in their shift booking system (except password and cookies!).
So the employer can handle employment disputes, and for patient safety, we permanently store this personal data about the locum:
- History of shifts they used to work on
- Cancelled shifts and the reason they are cancelled
- Changes to timing or escalation of shifts
Again, this is to fulfil the locum’s employment contract, particularly in the case of errors or disputes.
4. Agency locum books a shift
If a shift is filled not by Patchwork but by an agency we store this information about the agency locum:
- Name of agency locum
- Grade, department
- Time and other details about shift
This is to fulfil the agency locum’s employment contract with their agency, which requires booking shifts on the employer’s booking system.
5. Locum gets paid
So a locum can get paid, we handle this personal data about them:
- ESR / payroll number – for integration by the employer with their payroll system
- Rate of pay for a shift
- History of shifts and their rates of pay
This is necessary to fulfil the employment contracts between the locums and their employer. It is necessary that we keep the history, in case there are errors or disputes. The employer has access to this information.
6. Employer’s staff do their jobs
We handle some personal data about employer staff who use the Patchwork employer portal to do their work:
- Name, password, cookies – to identify themselves to Patchwork
- Audit history of their activity on the Patchwork employer portal
This is so the employer can perform their public task (if public sector) or legitimate interests (otherwise) of managing their HR team, including knowing who made decisions about the HR team.
7. All users
To help maintain our service we store:
- Standard server logs
We do this in our legitimate interests to run a reliable service and provide customer support.
We generate aggregated statistical information about shifts, bookings and locums. For example, measuring the fill rate of an HR team. These statistics are no longer personal data. We use them for research, marketing and financial planning.
8. Making requests about your data
8.1 Rights of the Individual
If we hold any of your personal data, you can request to access it. In some cases, depending on the reason given above that we hold the data, you can request we correct, erase or restrict our processing of it.
9. Third Parties
9.1 Security, Privacy and Compliance Information for Patchwork
Patchwork is a data processor and engages certain onward subprocessors that may process personal data submitted to Patchwork’s services by the controller. These subprocessors are listed below, with a description of the service and the location where data is hosted. This list may be updated by Patchwork from time to time:
- - Intercom. Customer Relationship Management. (USA)
- - Amazon Web Services, Inc. Hosting, storage and analytics. (UK)
- - Mailchimp. Email. (USA)
- - Google Inc. Analytics. (UK)
- - Hotjar. Analytics. (EU)
If you’d like to to do this, please contact us by emailing firstname.lastname@example.org.
We’d also love to hear from you if you have any other questions.
If you have any concerns about any organisation’s processing of personal data, you can report your concern to the Information Commissioner’s Office. https://ico.org.uk/concerns
9. Data Protection Officer
Jing Ouyang (Chief Operating Officer )