This Privacy Notice (“Notice”) sets out the basis upon which Optimum Patient Care Limited (“OPC”, “Company”, “we”, “us” or “our”) may collect, use, disclose or otherwise process personal data of employees and candidates in accordance with the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”) (collectively “Data Protection Laws”). This Notice applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose or process personal data for our purposes.


  1. This Notice applies to all persons engaged in a contract of service with us (whether on a part-time, temporary or full-time basis) as well as individuals providing services under a contract for services (including freelancers and consultants), and interns and trainees or volunteers working at or attached to us, or candidates applying for a role with the Company (collectively referred to as “employees”), and all references to “employment” shall apply equally to such employees.

  2. As used in this Notice, “personal data” includes information relating to natural persons who: can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.
  3. Personal data which we may collect in the context of your recruitment or employment with us includes, without limitation, your:
    (a) name or alias, gender, passport number, date of birth, nationality, and country and city of birth;
    (b) mailing address, telephone numbers, email address and other contact details;
    (c) resume, educational qualifications, professional qualifications and certifications and employment references;
    (d) employment and training history;
    (e) salary information and bank account details;
    (f) details of your next-of-kin, spouse and other family members;
    (g) work-related health issues and disabilities;
    (h) records on leave of absence from work;
    (i) photographs and other audio-visual information;
    (j) performance assessments and disciplinary records; and
    (k) any additional information provided to us by you as a job applicant (that is, prior to being engaged as an employee).
  1. Other terms used in this Notice shall have the meanings given to them in the Data Protection Laws (where the context so permits).

  2. We generally collect personal data that (a) you knowingly and voluntarily provide in the course of or in connection with your employment with us, or via a third party who has been duly authorised by you to disclose your personal data to us (your “authorised representative”, which may include your job placement agent), after (i) you (or your authorised representative) have been notified of the purposes for which the data is collected, and (ii) you (or your authorised representative) have provided written consent to the collection and usage of your personal data for those purposes, or (b) collection and use of personal data without consent is permitted or required by Data Protection Laws or other laws. We shall seek your consent before collecting any additional personal data and before using your personal data for a purpose which has not been notified to you (except where permitted or authorised by law).
  3. Prior to your employment, your personal data will be collected and used by us for the following purposes, and we may disclose your personal data to third parties where necessary for the following purposes:
    (a) assessing and evaluating your suitability for employment in any current or prospective position within the organisation; and
    (b) verifying your identity and the accuracy of your personal details and other information provided.
  4. If you are an employee, your personal data will be collected and used by us for the following purposes, and we may disclose your personal data to third parties where necessary for the following purposes:
    (a) performing obligations under or in connection with your contract of employment with us, including payment of remuneration and tax;
    (b) all administrative and human resources related matters within our organisation, including administering payroll, granting access to our premises and computer systems, processing leave applications, administering your insurance and other benefits, processing your claims and expenses, investigating any acts or defaults (or suspected acts or defaults) and developing human resource policies;
    (c) managing and terminating our employment relationship with you, including monitoring your internet access and your use of our intranet email to investigate potential contraventions of our internal or external compliance regulations, and resolving any employment related grievances;
    (d) assessing and evaluating your suitability for employment/appointment or continued employment/appointment in any position within our organisation;
    (e) ensuring business continuity for our organisation in the event that your employment with us is or will be terminated;
    (f) performing obligations under or in connection with the provision of our goods or services to our clients;
    (g) facilitating any proposed or confirmed merger, acquisition or business asset transaction involving any part of our organisation, or corporate restructuring process; and
    (h) facilitating our compliance with any laws, customs and regulations which may be applicable to us.
  1. The purposes listed in the above clauses may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under any contract with you).

  2. OPC is committed to ensuring that any personal data we hold is as safe as reasonably possible, both while it is being processed and when it is stored. We store the personal data we collect on secure databases, electronic and hard copy files. Personal data is stored in the UK in line with Data Protection Laws.
  3. We have policies and procedures for the secure, permanent destruction of personal data when it is no longer required.
    • GDPR Article 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    • GDPR Article 6(1)(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    • GDPR Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
    • GDPR Article 6(1)(f): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

  4. Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Note that these rights apply to the data we hold in our capacity as data controller.
    • Your right to be informed
    • Your right of access
    You have the right to ask us for copies of your personal data held by OPC.
    • Your right to rectification
    You have the right to ask OPC to change or correct information you think is inaccurate about you. You also have the right to ask OPC to complete information you think is incomplete.
    • Your right to erasure
    You have the right to ask OPC to erase your personal data in certain circumstances.
    • Your right to restriction of processing
    You have the right to ask OPC to restrict the processing of your information in certain circumstances.
    • Your right to object to processing
    You have the right to object to processing if we are able to process your information because the process is in our legitimate interests.
    • Your right to data portability
    This only applies to information you have given to OPC. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information with your consent.
  5. You are not required to pay any charge for exercising your rights. We have one month to respond to you. Please note that we are only able to help you exercise your data protection rights if we hold your personal data and we can identify you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

  6. If you wish to make (a) an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or (b) a correction request to correct or update any of your personal data which we hold, you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below.
  7. We will respond to your access request as soon as reasonably possible. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the Data Protection Laws).
  8. Please note that depending on the request that is being made, we will only need to provide you with access to the personal data contained in the documents requested, and not to the entire documents themselves. In those cases, it may be appropriate for us to simply provide you with confirmation of the personal data that our organisation has on record, if the record of your personal data forms a negligible part of the document.

  9. To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures to secure all storage and transmission of personal data by us and disclosing personal data both internally and to our authorised third-party service providers and agents only on a need-to-know basis.

    The steps we take to keep the personal data we collect secure include:

    • Regularly assessing the risk of misuse, loss, interference, modification, unauthorised access or disclosure of personal data.
    • Putting measures in place to address the above risks including robust information technology security, data encryption, restricted user access, and data security and protection policies.
    • Regularly ensuring that our staff and contractors only access personal data when needed.
    • Ensuring our staff and contractors are regularly trained on data protection at least annually. This includes compulsory annual certified training provided by NHS Digital, and NIHR certified Good Clinical Practice (GCP) training.
    • Conducting regular internal audits to assess compliance with these measures and the GDPR/DPA.
    • Undertaking and complying with the NHS Data Security and Protection Toolkit (ref: 8HR85) assessment annually. This assessment ensures we comply with the National Data Guardian’s Data Security Standards.
    • ISO 27001 and ISO9001 certification (certificate number 385342022). These accreditations demonstrate that OPC operates in accordance with a global framework of information security and quality assurance and management.
    • OPC is a registered data controller with the Information Commissioner’s Office, registration number: ZA197058.

  1. You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.

  2. We generally rely on personal data provided by you (or your authorised representative). To ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer in writing or via email at the contact details provided below.

  3. We may retain your personal data for as long as it is necessary to fulfil the purposes for which they were collected, or as required or permitted by applicable laws.
  4. We will cease to retain your personal data or remove the means by which the data can be associated with you as soon as it is reasonable to assume that such retention no longer serves the purposes for which the personal data were collected and are no longer necessary for legal or business purposes. Please refer to OPC’s Data and Records Management Policy for further information on data retention schedules for various types of data including employee or staff personal data.

  5. If we transfer your personal data to countries outside of the UK, we will take steps to ensure that your personal data continues to receive the standards of adequate protection required by Data Protection Laws.

  6. You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures; or if you wish to make any request, in the following manner:
    Our Data Protection Officer is Francis Appiagyei. You can email him at francis@optimumpatientcare.org or write to him using our postal address below. Please mark the envelope ‘Data Protection Officer’.
  7. Additionally, If you have any questions or complaints or you require any information about how we handle personal data at OPC, please contact our Data Protection Team by email, phone or post using the details below:
    Write to us: Optimum Patient Care, 5 Coles Lane, Cambridge, CB24 3BA
    Email us: dataprotection@optimumpatientcare.org
    Phone us: 01223 967 855

  8. You can make a complaint about the way we process your personal data to the Information Commissioner’s Office (ICO) using their contact information below. You can also request independent advice from the ICO.
    Phone: 0303 123 1113
    Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
    ICO website: https://ico.org.uk/make-a-complaint/

  9. This Notice applies in conjunction with any other policies, notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.
  10. We keep our privacy notice under regular review to make sure it is up to date and accurate. When we make changes to this notice, we will amend the last updated date at the bottom of this page. Any update to this notice will be applied to the handling of personal data as of that update date.

Privacy Notice last updated 1 August 2022