GoodShape Privacy
and Fair Processing Policy
Data integrity, security and confidentiality are vitally important to GoodShape. It is our goal to keep your data safe, secure and accurate, and to achieve this we operate an ISO27001 certified Information Security Management System (ISMS) that ensures GoodShape remains compliant with all applicable data protection legislation, including the General Data Protection Regulations (GDPR).
1. Introduction
- This privacy notice explains how and why GoodShape Limited, including each of its operating entities (also referred to as “GoodShape”, “we”, “our” and “us”) uses personal data concerning employees (referred to as “you”) in the provision of our absence management service to their employer (also referred to as “client” and “they”).
- You should read this notice, so that you know what we are doing with your personal data.
2. GoodShape’s data protection responsibilities
- “Personal data” is any information that relates to an identifiable person. Your name, date of birth and contact details are all examples of your personal data, if they identify you.
- The term “process” means any activity relating to personal data, including, by way of example, collection, storage, use, consultation and transmission.
- GoodShape is a "processor" of your personal data. Your employer remains the “controller” of your personal data. This means that they make decisions about how and why we process your personal data.
3. How does GoodShape collect personal data?
- GoodShape collects personal data in three ways.
1) Staff data updates sent by your employer for the purposes of maintaining the accuracy of data.
2) Telephone calls you make to GoodShape to report absence details or access wellbeing services.
3) Mobile application engagement you have with GoodShape to report absence details and access wellbeing services.
4. What types of personal data do we collect and where do we get it from?
- We collect many different types of personal data about you. Some of it will be provided by you directly to GoodShape. Some of it will be provided to GoodShape directly by your employer. For full details please see the table below:
|
Ref: |
Data |
Type |
Collected From |
Controller: |
Storage location: |
Accessed by: |
|
1 |
Employee Ref |
Mandatory |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
2 |
First name |
Mandatory |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
3 |
Surname |
Mandatory |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
4 |
Date of Birth |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
5 |
Gender |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
6 |
Hard of Hearing Status |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
7 |
Work Phone Number |
Mandatory |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
8 |
Work Email Address |
Mandatory |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
9 |
Position Reference Number |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
10 |
Position Job Title |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
11 |
Contracted Hours/Days |
Mandatory |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
12 |
Employment Type |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
13 |
Employment Start Date |
Mandatory |
Your employer |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
14 |
Absence Start Date |
Mandatory |
You |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
15 |
Absence End Date |
Mandatory |
You |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
16 |
Absence Type |
Mandatory |
You |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
17 |
Disclosed Absence Reason** |
Optional |
You |
Your employer |
GoodShape's UK data centres | Client/GoodShape |
|
18 |
Withheld Absence Reason** |
Optional |
You |
GoodShape |
GoodShape's UK data centres | GoodShape |
|
19 |
Absence Time Lost |
Mandatory |
You |
Your Employer |
GoodShape's UK data centres | Client/GoodShape |
|
20 |
Fit Note Dates |
Optional |
You |
Your Employer |
GoodShape's UK data centres | Client/GoodShape |
|
21 |
Current Symptoms/Illness** |
Optional |
You |
GoodShape |
GoodShape's UK data centres | GoodShape |
|
22 |
Medical History** |
Optional |
You |
GoodShape |
GoodShape's UK data centres | GoodShape |
|
23 |
Current Medications** |
Optional |
You |
GoodShape |
GoodShape's UK data centres | GoodShape |
|
24 |
Allergies** |
Optional |
You |
GoodShape |
GoodShape's UK data centres | GoodShape |
|
25 |
Contact Telephone Number for GoodShape communications |
Optional |
You |
GoodShape |
GoodShape's UK data centres | GoodShape |
|
26 |
Contact Telephone Number for passing on to your employer |
Optional |
You |
Your Employer |
GoodShape's UK data centres | Client/GoodShape |
|
27 |
Contact Telephone Number for identification purposes |
Optional |
You |
GoodShape |
GoodShape's UK data centres | GoodShape |
|
28 |
IP Address (Only processed if you have access to the web portal) |
Situational |
You |
GoodShape |
GoodShape's UK data centres | GoodShape |
|
29 |
Call Recording |
Mandatory |
You |
GoodShape |
PureCloud/AWS Irish data centre | GoodShape |
|
30 |
Security question and answer |
Mandatory |
You |
GoodShape |
GoodShape's UK data centres |
GoodShape |
|
31 |
Disability |
Optional |
Your Employer |
Your Employer |
GoodShape's UK data centres |
Client/GoodShape |
|
32 |
Personal Email Address |
Optional |
You |
GoodShape |
GoodShape's UK data centres |
Client/GoodShape |
|
33 |
Lifestyle Advice** |
Optional |
GoodShape Nurse |
GoodShape |
GoodShape's UK data centres |
GoodShape |
|
34 |
Postcode |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres |
Client/GoodShape |
|
35 |
Employee file note |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres |
Client/GoodShape |
|
36 |
Return to work interview form |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres |
Client/GoodShape |
|
37 |
Wellbeing referral decision |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres |
Client/GoodShape |
|
38 |
Absence monitoring stage |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres |
Client/GoodShape |
|
39 |
Absence monitoring notes |
Optional |
Your employer |
Your employer |
GoodShape's UK data centres |
Client/GoodShape |
|
40 |
Care Plan Task Log |
Situational |
You |
GoodShape |
GoodShape's UK data centres |
GoodShape |
|
41 |
Wellbeing Content Usage |
Situationall |
You |
GoodShape |
GoodShape's UK data centres |
GoodShape |
* Note that the option to share data items 21 to 24, and 33 with GoodShape is only available if your employer has purchased GoodShape’s ‘Complete Support’ service. If you are unsure which version of the GoodShape service your employer has purchased from GoodShape please contact your HR team.
** These data items are classified as Special Category data in line with applicable legislation.
5. What do we do with your personal data, and why?- We process your personal data in order to facilitate the necessary, fair and consistent management of your unplanned absences from work, in line with the contract of employment that you have agreed with the employer.
- Please note that GoodShape does not use your personal data for any form of automated decision making.
- We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you and is used to analyse aggregated absence trends at your employer.
6. Who do we share your personal data with, and why?
- We need to disclose your personal data to your employer in the form of absence notifications and reports, to enable them to manage your absence from work.
- Please note that for data items 1 to 13, 31 and 35 to 39 we are simply sharing data with your employer that they already control.
- For data items 14 to 17 and 19, this information is shared with your employer and any additional representatives they have nominated (such as Occupational Health, Payroll or Health & Safety).
- Data items 18, 21 to 25, 27 to 30 and 32 to 33 are never shared with your employer or any additional representatives they have nominated.
- In the usual course of our business we may disclose your personal data (which will be limited to the extent reasonably necessary) to certain third party sub-processors that we use to support the delivery of our service. This may include the following:
- Text Message distribution services for the issuing of absence notifications.
- Overflow contact centres for use in business continuity and disaster recovery plans.
- Outsourced developers to facilitate the delivery and evolution of services.
- Information Technology partner to provide infrastructure support services.
- Cloud hosting partners to provide required computer platforms.
Where we utilise a third party sub-processor we ensure that they operate under contractual restrictions with regards to confidentiality and security, in addition to their existing obligations under Data Protection Laws.
On extremely rare occasions GoodShape may have cause to be significantly concerned for the immediate health and welfare of a data subject. In these scenarios, GoodShape, in the vital interests of the data subject, may share any appropriate and necessary data with an emergency service, or nominated emergency contact within the client organisation.
7. Where in the world is your personal data transferred to?
- Your personal data is stored at rest in the United Kingdom (UK) and Ireland (IRE) is accessed by your employer via a secure online portal.
- This portal is accessible anywhere in the world by users with an internet enabled device (subject to access controls that can be enforced by your employer).
- The list of users who can access your data via the online portal is decided and maintained by your employer.
8. How do we keep your personal data secure?
- We will take specific steps (as required by applicable data protection laws) to ensure we take appropriate security measures to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.
9. How long do we keep your personal data for?
- Your personal data for which GoodShape is a Processor will be kept on our system for 1 month following the termination of our service by your employer.
- Your personal data for which GoodShape is a Controller will be kept on our system for 7 years following the termination of our service by your employer.
10. What are your rights in relation to your personal data and how can you exercise them?
- You have certain legal rights, which are briefly summarised below, in relation to any personal data about you which we hold.
- Where our processing of your personal data is based on you providing consent (to your employer for the data they control, or to GoodShape for the data we control), you have the right to withdraw your consent at any time, subject to any lawful requirements.
- A brief summary of your rights are listed below, but we suggest you contact your employer for full details on how they intend to manage these processes.
|
Your right |
What does it mean? |
Limitations and conditions of your right |
|
Right of access |
Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”). |
If possible, you should specify the type of information you would like to see to ensure that the disclosure meets your expectations. We must be able to verify your identity. Your request may not impact the rights and freedoms of other people or be manifestly unfounded or excessive (Art 57). |
|
Right to data portability |
Subject to certain conditions, you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.
|
If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations. This right only applies if the processing is based on your consent and it covers only the personal data that has been provided to us by you. |
|
Rights in relation to inaccurate personal or incomplete data |
You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help your employer keep your personal information up to date and we encourage you to notify them of any changes regarding your personal data as soon as they occur. Please also contact GoodShape if you suspect that any of the data we control is inaccurate or incomplete. |
This right only applies to your own personal data and you cannot request changes to another person’s personal data. When exercising this right, please be as specific as possible. |
|
Right to object to or restrict our data processing |
Subject to conditions, you have a right to object to or ask your employer and GoodShape to restrict the processing of your personal data. |
As stated above, this right applies where our processing of your personal data is necessary for our legitimate interests. |
|
Right to erasure |
Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful. |
As your employer is the Data Controller for your personal data you would need to direct this request to them. They will in turn direct GoodShape to delete your personal data where appropriate. Please note that we may not be in a position to erase your personal data if we need it to comply with a legal obligation. |
|
Right to withdrawal of consent |
As stated above, where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time. |
If you withdraw your consent, this will only take effect for future processing. You will also need to direct this request to your employer, who may cite legal or legitimate reasons to continue processing your personal data. |
- If you wish to exercise any of these rights please contact your appropriate individual (usually a Data Protection Officer) at your employer.
- You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/.
GoodShape is registered with the Information Commissioners Office and has taken great care to ensure that a legal basis can be established for the processing of the above data.
Lawful purposes:
| Ref | Lawful basis |
| 1 | Data subjects have given their explicit consent to the processing |
| 2 | It is necessary for the performance of a contractual obligation |
| 3 | It is necessary for GoodShape to comply with a legal obligation |
| 4 | It is necessary in order to protect the vital interests of the data subject or of another natural person |
| 5 | It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller |
| 6 | It is necessary for the purpose of the legitimate interests pursued by the controller or a third party |
GoodShape's legal basis:
The table below indicates which of the 6 legal basis applies to each piece of data processed or controlled by GoodShape:
| Ref | Data | Type | Collected from | Controller | 1 | 2 | 3 | 4 | 5 | 6 |
| 1 | Employee ref | Mandatory | Your employer | Your employer | – | √ | – | - | – | - |
| 2 | First name | Mandatory | Your employer | Your employer | – | √ | – | √ | – | - |
| 3 | Surname | Mandatory | Your employer | Your employer | – | √ | – | √ | – | - |
| 4 | Date of Birth | Optional | Your employer | Your employer | – | √ | – | √ | – | - |
| 5 | Gender | Optional | Your employer | Your employer | – | √ | – | √ | – | - |
| 6 | Hard of hearing status | Optional | Your employer | Your employer | – | √ | – | √ | – | - |
| 7 | Work phone number | Mandatory | Your employer | Your employer | – | √ | – | - | – | - |
| 8 | Work email address | Mandatory | Your employer | Your employer | – | √ | – | - | – | - |
| 9 | Position reference number | Optional | Your employer | Your employer | – | √ | – | - | – | - |
| 10 | Position job title | Optional | Your employer | Your employer | – | √ | – | - | – | - |
| 11 | Contracted hours/days | Mandatory | Your employer | Your employer | – | √ | – | - | – | - |
| 12 | Employment type | Optional | Your employer | Your employer | – | √ | – | - | – | - |
| 13 | Employment start date | Mandatory | Your employer | Your employer | – | √ | – | - | – | - |
| 14 | Absence start date | Mandatory | You | Your employer | – | √ | – | - | – | - |
| 15 | Absence end date | Mandatory | You | Your employer | – | √ | – | - | – | - |
| 16 | Absence type | Mandatory | You | Your employer | – | √ | – | √ | – | - |
| 17 | Disclosed absence reason | Optional | You | Your employer | √ | – | – | √ | – | - |
| 18 | Withheld absence reason | Optional | You | GoodShape | √* | – | – | √ | – | √ |
| 19 | Absence time lost | Mandatory | You | Your employer | – | √ | – | - | – | - |
| 20 | Fit note dates | Optional | You | Your employer | – | √ | – | √ | – | - |
| 21 | Current symptoms/illness | Optional | You | GoodShape | √* | – | – | √ | – | √ |
| 22 | Medical history | Optional | You | GoodShape | √* | – | – | √ | – | √ |
| 23 | Current medications | Optional | You | GoodShape | √* | – | – | √ | – | √ |
| 24 | Allergies | Optional | You | GoodShape | √* | – | – | √ | – | √ |
| 25 | Contact telephone number for GoodShape communications | Optional | You | GoodShape | √ | – | – | √ | – | √ |
| 26 | Contact telephone number for passing on to your employer | Optional | You | Your employer | √ | – | – | √ | – | - |
| 27 | Contact Telephone Number for identification purposes | Optional | You | GoodShape | √ | – | – | √ | – | √ |
| 28 | IP address (only processed if you have access to the web portal) | Situational | You | GoodShape | – | √ | – | - | – | √ |
| 29 | Call recording | Mandatory | You | GoodShape | – | – | – | √ | – | √ |
| 30 | Security question and answer | Mandatory | You | GoodShape | – | √ | – | - | – | √ |
| 31 |
Disability |
Optional |
Your employer |
Your employer |
– | √ | – | √ | – | - |
| 32 |
Personal email address |
Optional | You |
GoodShape |
√ | – | – | √ | – | √ |
| 33 |
Lifestyle advice |
Optional | GoodShape Nurse |
GoodShape |
√* | – | – | √ | – | √ |
| 34 |
Postcode |
Optional |
Your employer |
Your employer |
– | √ | – | – | – | √ |
| 35 |
Employee file note |
Optional | Your employer | Your employer | – | √ | – | – | – | – |
| 36 |
Return to work interview form |
Optional | Your employer | Your employer | – | √ | – | – | – | – |
| 37 |
Wellbeing referral decision |
Optional | Your employer | Your employer | – | √ | – | – | – | – |
| 38 |
Absence monitoring stage |
Optional | Your employer | Your employer | – | √ | – | – | – | – |
| 39 |
Absence monitoring notes |
Optional | Your employer | Your employer | – | √ | – | – | – | – |
| 40 | Care Plan Task Log | Situational | You | GoodShape | - | √ | - | √ | - | √ |
| 41 | Wellbeing Conten Usage | Situational | You | GoodShape | - | √ | - | √ | - | √ |
* Right to withdraw consent unavailable due to information being necessary for the legitimate interests pursued by the controller and being of vital interest to the data subject themselves.
Special Category Data
| Ref: | Data: | Type: | Collected From: | Controller: |
| 17 | Disclosed Absence Reason** | Optional | You | Your employer |
| 18 | Withheld Absence Reason** | Optional | You | GoodShape |
| 21 | Current Symptoms/Illness** | Optional | You | GoodShape |
| 22 | Medical History** | Optional | You | GoodShape |
| 23 | Current Medications** | Optional | You | GoodShape |
| 24 | Allergies** | Optional | You | GoodShape |
| 33 | Lifestyle Advice** | Optional | GoodShape Nurse | GoodShape |
- GDPR Art.9(2)(a) Data subject has given explicit consent
- GDPR Art.9(2)(b) purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employmentSchedule 1 Part 1(1) (Data Prot. Act 2018) - Employment, social security and social protection)
- GDPR Art.9(2)(a) Data subject has given explicit consent
- GDPR Art.9(2)(b) purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment
- Schedule 1 Part 1(1) (Data Prot. Act 2018) - Employment, social security and social protection
- GDPR Art.9(2)(h) Health or social care
- Schedule 1 Part 1(2)(a) (Data Prot. Act 2018) – preventive or occupational medicine
- Schedule 1 Part 1(2)(b) (Data Prot. Act 2018) – the assessment of the working capacity of an employee
- Schedule 1 Part 1(2)(d) (Data Prot. Act 2018) – the provision of health care or treatment
- Schedule 1 Part 1(2)(f) (Data Prot. Act 2018) – the management of health care systems or services or social care systems or services
- GoodShape are registered with the Information Commissions Officer.
- GoodShape has in place an Information Security Management System (ISMS) which can demonstrate compliance with the six principles of the General Data Protection Regulations (GDPR).
- GoodShape’s ISMS and processes have been reviewed by Eversheds for legal appropriateness and legitimate reasons exists for the processing of data.
- None of the data recorded by GoodShape is used in automated decision-making or telemarketing.
- GoodShape remains a Data Processor for all information provided to it by the client.
- GoodShape is a Data Controller for the medical advice it provides, enabling it to confirm with the regulatory requirements of the Nursing and Midwifery Council (NMC)
- The Data Subject (i.e. employees calling GoodShape) retains full control over the dissemination of their Sensitive Data, which will not be disclosed to any party without the employee’s consent.
We may update this notice from time to time to reflect changes to the type of personal data that we process and/or the way in which it is processed. We will update you on material changes to this notice during your first call to GoodShape following the update.
If you wish to make a Data Subject Access Request or exercise any of the other rights listed above, or have any questions about the fair processing of your data at GoodShape, please direct them to: dpo@GoodShape.uk
Version 29 - Date Updated: February 27, 2023