HR Investigations and Grievance Process Privacy Notice

All the personal information that we collect, and use is handled in accordance with Data Protection principles. These state that the processing of personal data (which includes collection, use, storage, and deletion) must be:

• Lawful and fair
• Specified, explicit, and legitimate
• Adequate, relevant, and not excessive
• Accurate and kept up to date
• Kept for no longer than necessary
• Secure

We use different legal bases depending on the purpose for which we use your personal information:

• Legal Obligation (Article 6(1)(c)) - processing is necessary for the compliance with a legal obligation; this is relevant employment and HR legislation.
• Public Task (Article 6(1)(e)) - UK GDPR processing is necessary for the performance of a task carried out in the public interest and/or in the exercise of official authority vested in the controller. This is because it relates to the processing of personal data which is necessary for the performance of employment and HR purposes.
• Contract (Article 6(1)(b)) – for processing necessary to administer and perform your employment contract, such as paying your salary, providing employee benefits, and managing leave. This would apply to existing employees.

For processing of special categories of personal data, which includes data concerning your health, race, ethnicity or sexual orientation, we rely on one of the following legal bases:

• Employment and social security law (Article 9(2)(b)) – for processing your absence and sickness records.
• Occupational health (Article 9(2)(h)) – for processing for the purposes of preventive or occupational health, assessment of the working capacity of the employee, or the provision of health or social care.

Your data may also be processed in line with the Staff and Occupation Health Privacy notices available at: Royal Devon University Healthcare NHS Foundation Trust (rdehospital.nhs.uk).

Your data will be processed to support the HR process for investigations and the grievance process. This will be in accordance with UK data protection legislation and any other relevant legislation.

The HR department processes personal data and special category personal data (as described in the DPA 2018 and UK GDPR), to support the investigation and grievance process. We are processing this information at your line manager’s request for any HR investigations and at your request if you wish to undertake the grievance process.

Personal Information

Personal information identifies a living individual, so any of your personal information that can be attributed to you personally in both electronic and paper records. During the investigation and grievance process, we may collect and process the following types of personal data:

• Personal details - such as full name, date of birth.
• Contact information - such as address, phone numbers and email addresses.
• Training and qualifications.
• Employment history – such as details of your role and any previous roles undertaken in the Trust.
• Sick absence forms and any referrals to Occupational Health.
• Probation reports, performance reviews and Performance Development Reviews (PDRs).
• Grievance and requests for appeal documentation.
• Interview notes recorded during fact finding exercises.
• Fact finding reports created at the conclusion of investigations and the grievance process.
• Notes of hearings in relation to investigations and the grievance process.
• Outcome letters

Special categories of personal data

Special Categories of personal data we may process include:

• Race or ethnicity
• Physical or mental health
• Sexual orientation and sexual life
• Trade union membership

Additional information that is considered sensitive might relate to:

• The commission or alleged commission of an offence, or proceedings or sentence relating to offences or alleged offences.

We may also receive personal information indirectly, from the following sources in the following scenarios:

• Information from other individuals who can provide information about your employment and character.
• Information from third parties who may be interviewed as part of an investigation or through the grievance process.
• Regulatory bodies.

We collect and process your personal data for the following purposes:

• Conducting investigations and undertaking the grievance process.
• Conducting interviews and assessments
• Communicating with you about your application and the outcome of any investigation.

Your information may be shared internally with HR officers and with managers who have initiated the investigation process. Your grievance information will be shared internally with the HR department and with investigating officers who may investigate your grievance and any subsequent appeals. Information may be shared with third parties who need to be interviewed as part of the grievance process.

Your information may be shared with solicitors instructed by the Trust for the purpose of obtaining legal advice. Results of investigations and outcome of grievances may be shared with regulatory bodies.

We will not sell or share your information for marketing purposes.

We will not transfer your personal data outside of the UK, UK Crown Dependencies or the European Economic Area (EEA).

We reserve the right to disclose your personal information to comply with applicable laws and government or regulatory bodies' lawful requests for information.

Disciplinary records have a retention period of 6 years and will be reviewed and destroyed if no longer required. Retention begins once the case is heard and any appeal process completed. The record may be retained for longer, but this will be a Trust decision based on the facts of the case. The more serious the case, the more likely it will attract a longer retention period. Likewise, a one-off incident may need to only be kept for the minimum time stated. This applies to all disciplinary records, regardless of format.

Records of industrial relations which include tribunal case records have a retention period of 10 years until they are reviewed.

We take the security of your personal information very seriously and have appropriate physical, technical and administrative procedures in place to help protect your personal information from unauthorised access, use or disclosure in accordance with the relevant data protection legislation.

The information you provided will be managed in accordance with data protection legislation.

You have the following rights:

• The right of access – You have the right to request access to the personal data the Trust holds about you and/or copies of your personal information. See section 10 below for more information.
• The right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• The right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
• The right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
• The right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
• The right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

Under an individual’s right to request access to the personal data the Trust holds about them also known as a subject access request (SAR), the Trust can only disclose personal data relating to that individual (the requester).

Please note just because the requester may be mentioned in information held does not mean it is automatically released, the information will undergo an extensive review by the IG team to identify if it is Personal Data (no third-party data is released, etc.) and to identify the applicable exemptions. Grievances, by their very nature, are a complex process which includes confidential disclosures. Any release of information in relation to a grievance must be carefully reviewed to balance the rights and expectations of confidentiality imposed within these processes.

If your case progresses to an employment tribunal, both you (the data subject) and the Trust have a legal duty to disclose all documents relevant to the case. This process is known as “disclosure” and is governed by the Employment Tribunals (Constitution and Rules of Procedure) Regulations 2013 and the Employment Tribunal Procedure Rules 2024. Disclosure means that both parties must share all documents—whether they support or undermine either side’s case—including contracts, emails, meeting notes, and other records. The tribunal may also order the disclosure of specific documents or information.

Failure to disclose relevant documents can result in serious consequences, such as exclusion of evidence, delays, or even the dismissal of a claim or defence. Certain documents, such as those protected by legal privilege (e.g., confidential communications with legal advisers), are exempt from disclosure. The aim of disclosure is to ensure fairness and transparency, allowing both parties to prepare their cases fully and avoid surprises at the hearing.

Disclosure for tribunal purposes and data subject rights are separate processes, but both protect your confidentiality and legal rights.

To make use of these rights please contact the Information Governance team via email at rduh.a2rstaff@nhs.net. Further information is available on our website: https://royaldevon.nhs.uk/about-us/information-governance/access-your-personal-data-health-records/

If you have any concerns about our processing of your information, then please contact the Trust Data Protection Officer by emailing rduh.dpo@nhs.net.

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under Data Protection and Freedom of Information legislation.  If you are not satisfied with our DPO response or believe we are not processing your personal data in accordance with the law, you can complain to the ICO at:

Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

Website: https://ico.org.uk/concerns/

Email: casework@ico.org.uk

This privacy notice may be updated to reflect changes in our data processing practices. Any updates will be communicated through our website or other appropriate channels and have the updated effective date.

This privacy notice was last updated on 20/11/2025 and is available on the Trust’s website and Career Gateway.