We use cookies to make this site work. We'd also like to set optional cookies so we can understand how the site is used and improve it. We will not set optional cookies unless you accept them. You can change your choice at any time from the Cookie settings link in the footer.
Strictly necessary cookies
These cookies are required for the site to work. They store your cookie preferences and keep your session secure. They are exempt from consent under PECR Regulation 6(4) because they are essential to deliver the service you have requested.
Optional cookies
Optional cookies help us understand how the site is used and provide additional features such as analytics, accessibility tools and translation. We will only set them if you accept.
Image: Leena KentStaff Privacy Policy
Invicta Health CIC collects and uses personal information provided during the recruitment process. This includes contact details, employment history, qualifications, references, ID checks, and (where required) health and criminal record information. This is required to assess suitability for roles, carry out safeguarding and regulatory checks, and meet legal obligations. This data may be shared with relevant partners such as DBS providers, occupational health, and regulators, which is kept securely and usually retained for up to 12 months (unless you are employed). Individuals have rights to access, correct, or object to the use of their data, with all processing carried out in line with UK data protection laws.
Introduction
Invicta Health CIC ("we", "our", or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy outlines how we collect, use, store, and share personal data relating to our employees, workers, and contractors during and after your working relationship with us.
Data Controller
Invicta Health CIC is the data controller responsible for your personal data.
Contact Details:
- Address: Corporate Services, Birchington Medical Centre, Minnis Road, Birchington, Kent, CT7 9HQ
- Phone Number: 0800 242 5199
Data Protection Principles
We adhere to the following data protection principles:
- Process personal data lawfully, fairly, and transparently.
- Collect data for specified, explicit, and legitimate purposes.
- Ensure data is adequate, relevant, and limited to what is necessary.
- Keep data accurate and up to date.
- Retain data only as long as necessary.
- Secure personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Information We Collect
Data Category Lawful Basis for Processing (UK GDPR) UK GDPR Article Reference
Personal contact details
- Lawful Basis for Processing (UK GDPR): Performance
- UK GDPR Article Reference: Art. 6(1)(b), Art. 6(1)(c), Art. 6(1)(f)
Date of birth, gender, and marital status
- Lawful Basis for Processing (UK GDPR): Performance
- UK GDPR Article Reference: Art. 6(1)(b), Art. 6(1)(c)
National Insurance number
- Lawful Basis for Processing (UK GDPR): Legal
- UK GDPR Article Reference: Art. 6(1)(c)
Copies of driving license and passport
- Lawful Basis for Processing (UK GDPR): Legal
- UK GDPR Article Reference: Art. 6(1)(c), Art. 6(1)(f)
Bank account details, payroll records, and tax status information
- Lawful Basis for Processing (UK GDPR): Performance
- UK GDPR Article Reference: Art. 6(1)(b), Art. 6(1)(c)
Salary, annual leave, pension, and benefits information
- Lawful Basis for Processing (UK GDPR): Performance
- UK GDPR Article Reference: Art. 6(1)(b), Art. 6(1)(c)
Start date, leaving date, and location of employment
- Lawful Basis for Processing (UK GDPR): Performance
- UK GDPR Article Reference: Art. 6(1)(b), Art. 6(1)(c)
Recruitment information
- Lawful Basis for Processing (UK GDPR): Legitimate
- UK GDPR Article Reference: Art. 6(1)(f), Art. 6(1)(c)
Employment records
- Lawful Basis for Processing (UK GDPR): Performance
- UK GDPR Article Reference: Art. 6(1)(b), Art. 6(1)(c), Art. 6(1)(f)
Disciplinary and grievance information
- Lawful Basis for Processing (UK GDPR): Legal
- UK GDPR Article Reference: Art. 6(1)(c), Art. 6(1)(f)
CCTV footage and other electronic data
- Lawful Basis for Processing (UK GDPR): Legitimate
- UK GDPR Article Reference: Art. 6(1)(f), Art. 6(1)(c)
Use of information and communications systems
- Lawful Basis for Processing (UK GDPR): Legitimate
- UK GDPR Article Reference: Art. 6(1)(f), Art. 6(1)(b)
Photographs
- Lawful Basis for Processing (UK GDPR): Legitimate
- UK GDPR Article Reference: Art. 6(1)(f), Art. 6(1)(a)
Race or ethnicity, religious beliefs, sexual orientation, political opinions
- Lawful Basis for Processing (UK GDPR): Explicit
- UK GDPR Article Reference: Art. 9(2)(a), Art. 9(2)(b)
Trade union membership
- Lawful Basis for Processing (UK GDPR): Explicit
- UK GDPR Article Reference: Art. 9(2)(a), Art. 9(2)(b)
Health data
- Lawful Basis for Processing (UK GDPR): Explicit
- UK GDPR Article Reference: Art. 9(2)(a), Art. 9(2)(b)
Criminal convictions and offences
- Lawful Basis for Processing (UK GDPR): Legal
- UK GDPR Article Reference: Art. 10, Art. 6(1)(c), Art. 9(2)(b), Art. 9(2)(g)
How We Collect Your Personal Information
We collect personal information about employees, workers, and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider (such as a DBS). We may also collect additional personal information in the course of job-related activities throughout the period of you working for us.
How We Use Your Personal Information
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform the contract we have entered into with you.
- Where we need to comply with a legal obligation.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We use automated systems to track completion of mandatory training and send reminders or escalate non-compliance. These tools support compliance and safety but do not make decisions with legal or significant effects. Any formal action is reviewed by a human, in line with UK GDPR Article 22.
Sharing Your Personal Information
We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you, or where we have another legitimate interest in doing so. Third parties may include:
- NHS Pension providers
- Professional bodies (such as the GMC or NMC)
- Systems to support HR (Cascade)
- Care Identity Systems (such as NHS Smartcard)
- Occupational health providers
- HM Revenue & Customs
- Professional advisers (such as insurance or defence commissioned services).
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies.
We do not transfer your personal data outside the United Kingdom. If this changes in the future, we will ensure appropriate safeguards are in place and inform you accordingly.
Data Security
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We limit access to your personal information to those employees, agents, contractors, and other third parties who have a business need to know.
Data Retention
We follow the NHS structured approach to HR records, as outlined in the NHS England Records Retention and Disposal Schedule and the Records Management Code of Practice. Here are some key retention periods for HR-related records:
Personnel files (staff)
- Retention Period: 6 years after employment ends
- Notes: Includes contracts, appraisals, and disciplinary records
Recruitment records (unsuccessful)
- Retention Period: 1 year after recruitment decision
- Notes: For audit and legal challenge purposes
Training records
- Retention Period: 6 years after employment ends
- Notes: Includes mandatory and professional development training
Occupational health records
- Retention Period: 6 years after employment ends
- Notes: Some health surveillance records may be kept longer (e.g., 40 years)
Payroll and salary records
- Retention Period: 6 years
- Notes: For tax and audit purposes
Annual leave and sickness records
- Retention Period: 2 years
- Notes: Unless part of a formal HR process
Disciplinary and grievance records
- Retention Period: 6 years after case closed
- Notes: Longer if part of legal proceedings
Your Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to:
- Request access to your personal data
- Request correction of your personal data
- Request erasure of your personal data
- Object to processing of your personal data
- Request restriction of processing your personal data
- Request transfer of your personal data
- Withdraw consent
Changes to This Privacy Policy
We reserve the right to update this privacy policy at any time. We will provide you with a new privacy policy when we make any substantial updates.
SocialEnterprise TM Trading for People and Planet
INVICTA HEALTH
Invicta Health Head Office
Corporate Service
Birchington Medical Centre
Birchington
Kent, CT7 9HQ
Tel: 0800 242 5199 or 01227 470057
CONNECT
STAFF RESOURCES
Registered address: Camburgh House, 27 New Dover Road, Canterbury, Kent, CT1 3DN