Data integrity, security and confidentiality are vitally important to GoodShape. It is our goal to keep your data safe, secure and accurate, and to achieve this we operate an ISO27001 certified Information Security Management System (ISMS) that ensures GoodShape remains compliant with all applicable data protection legislation, including the General Data Protection Regulations (GDPR).

1. Introduction

  • This privacy notice explains how and why GoodShape Limited, including each of its operating entities (also referred to as “GoodShape”, “we”, “our” and “us”) uses personal data concerning employees (referred to as “you”) in the provision of our absence management service to their employer (also referred to as “client” and “they”).
  • You should read this notice, so that you know what we are doing with your personal data.

2. GoodShape’s data protection responsibilities

  • “Personal data” is any information that relates to an identifiable person. Your name, date of birth and contact details are all examples of your personal data, if they identify you.
  • The term “process” means any activity relating to personal data, including, by way of example, collection, storage, use, consultation and transmission.
  • GoodShape is a "processor" of your personal data. Your employer remains the “controller” of your personal data. This means that they make decisions about how and why we process your personal data.

3. How does GoodShape collect personal data?

  • GoodShape collects personal data in three ways.

    1) Staff data updates sent by your employer for the purposes of maintaining the accuracy of data.
    2) Telephone calls you make to GoodShape to report absence details or access wellbeing services.
    3) Mobile application engagement you have with GoodShape to report absence details and access wellbeing services.

4. What types of personal data do we collect and where do we get it from?

  • We collect many different types of personal data about you. Some of it will be provided by you directly to GoodShape. Some of it will be provided to GoodShape directly by your employer. For full details please see the table below:

Ref:

Data

Type

Collected From

Controller:

Storage location:

Accessed by:

1

Employee Ref

Mandatory

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

2

First name

Mandatory

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

3

Surname

Mandatory

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

4

Date of Birth

Optional

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

5

Gender

Optional

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

6

Hard of Hearing Status

Optional

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

7

Work Phone Number

Mandatory

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

8

Work Email Address

Mandatory

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

9

Position Reference Number

Optional

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

10

Position Job Title

Optional

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

11

Contracted Hours/Days

Mandatory

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

12

Employment Type

Optional

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

13

Employment Start Date

Mandatory

Your employer

Your employer

GoodShape's UK data centres Client/GoodShape

14

Absence Start Date

Mandatory

You

Your employer

GoodShape's UK data centres Client/GoodShape

15

Absence End Date

Mandatory

You

Your employer

GoodShape's UK data centres Client/GoodShape

16

Absence Type

Mandatory

You

Your employer

GoodShape's UK data centres Client/GoodShape

17

Disclosed Absence Reason**

Optional

You

Your employer

GoodShape's UK data centres Client/GoodShape

18

Withheld Absence Reason**

Optional

You

GoodShape

GoodShape's UK data centres GoodShape

19

Absence Time Lost

Mandatory

You

Your Employer

GoodShape's UK data centres Client/GoodShape

20

Fit Note Dates

Optional

You

Your Employer

GoodShape's UK data centres Client/GoodShape

21

Current Symptoms/Illness**

Optional

You

GoodShape

GoodShape's UK data centres GoodShape

22

Medical History**

Optional

You

GoodShape

GoodShape's UK data centres GoodShape

23

Current Medications**

Optional

You

GoodShape

GoodShape's UK data centres GoodShape

24

Allergies**

Optional

You

GoodShape

GoodShape's UK data centres GoodShape

25

Contact Telephone Number for GoodShape communications

Optional

You

GoodShape

GoodShape's UK data centres GoodShape

26

Contact Telephone Number for passing on to your employer

Optional

You

Your Employer

GoodShape's UK data centres Client/GoodShape

27

Contact Telephone Number for identification purposes

Optional

You

GoodShape

GoodShape's UK data centres GoodShape

28

IP Address (Only processed if you have access to the web portal)

Situational

You

GoodShape

GoodShape's UK data centres GoodShape

29

Call Recording

Mandatory

You

GoodShape

PureCloud/AWS Irish data centre GoodShape

30

Security question and answer

Mandatory

You

GoodShape

GoodShape's UK data centres

GoodShape

31

Disability

Optional

Your Employer

Your Employer

GoodShape's UK data centres

Client/GoodShape

32

Personal Email Address

Optional

You

GoodShape

GoodShape's UK data centres

Client/GoodShape

33

Lifestyle Advice**

Optional

GoodShape Nurse

GoodShape

GoodShape's UK data centres

GoodShape

34

Postcode

Optional

Your employer

Your employer

GoodShape's UK data centres

Client/GoodShape

35

Employee file note

Optional

Your employer

Your employer

GoodShape's UK data centres

Client/GoodShape

36

Return to work interview form

Optional

Your employer

Your employer

GoodShape's UK data centres

Client/GoodShape

37

Wellbeing referral decision

Optional

Your employer

Your employer

GoodShape's UK data centres

Client/GoodShape

38

Absence monitoring stage

Optional

Your employer

Your employer

GoodShape's UK data centres

Client/GoodShape

39

Absence monitoring notes

Optional

Your employer

Your employer

GoodShape's UK data centres

Client/GoodShape

40

Care Plan Task Log

Situational

You

GoodShape

GoodShape's UK data centres

GoodShape

41

Wellbeing Content Usage

Situationall

You

GoodShape

GoodShape's UK data centres

GoodShape


* Note that the option to share data items 21 to 24, and 33 with GoodShape is only available if your employer has purchased GoodShape’s ‘Complete Support’ service. If you are unsure which version of the GoodShape service your employer has purchased from GoodShape please contact your HR team.

** These data items are classified as Special Category data in line with applicable legislation.

5. What do we do with your personal data, and why?

  • We process your personal data in order to facilitate the necessary, fair and consistent management of your unplanned absences from work, in line with the contract of employment that you have agreed with the employer.
  • Please note that GoodShape does not use your personal data for any form of automated decision making.
  • We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you and is used to analyse aggregated absence trends at your employer.

6. Who do we share your personal data with, and why?

  • We need to disclose your personal data to your employer in the form of absence notifications and reports, to enable them to manage your absence from work.
    • Please note that for data items 1 to 13, 31 and 35 to 39 we are simply sharing data with your employer that they already control.
    • For data items 14 to 17 and 19, this information is shared with your employer and any additional representatives they have nominated (such as Occupational Health, Payroll or Health & Safety). 
    • Data items 18, 21 to 25, 27 to 30 and 32 to 33 are never shared with your employer or any additional representatives they have nominated.
  • In the usual course of our business we may disclose your personal data (which will be limited to the extent reasonably necessary) to certain third party sub-processors that we use to support the delivery of our service. This may include the following:
    • Text Message distribution services for the issuing of absence notifications.
    • Overflow contact centres for use in business continuity and disaster recovery plans.
    • Outsourced developers to facilitate the delivery and evolution of services.
    • Information Technology partner to provide infrastructure support services.
    • Cloud hosting partners to provide required computer platforms. 

      Where we utilise a third party sub-processor we ensure that they operate under contractual restrictions with regards to confidentiality and security, in addition to their existing obligations under Data Protection Laws.

      On extremely rare occasions GoodShape may have cause to be significantly concerned for the immediate health and welfare of a data subject. In these scenarios, GoodShape, in the vital interests of the data subject, may share any appropriate and necessary data with an emergency service, or nominated emergency contact within the client organisation.

7. Where in the world is your personal data transferred to? 

  • Your personal data is stored at rest in the United Kingdom (UK) and Ireland (IRE) is accessed by your employer via a secure online portal.
  • This portal is accessible anywhere in the world by users with an internet enabled device (subject to access controls that can be enforced by your employer).
  • The list of users who can access your data via the online portal is decided and maintained by your employer.

8. How do we keep your personal data secure?

  • We will take specific steps (as required by applicable data protection laws) to ensure we take appropriate security measures to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.

9. How long do we keep your personal data for?

  • Your personal data for which GoodShape is a Processor will be kept on our system for 1 month following the termination of our service by your employer.
  • Your personal data for which GoodShape is a Controller will be kept on our system for 7 years following the termination of our service by your employer.

10. What are your rights in relation to your personal data and how can you exercise them?

  • You have certain legal rights, which are briefly summarised below, in relation to any personal data about you which we hold.
  • Where our processing of your personal data is based on you providing consent (to your employer for the data they control, or to GoodShape for the data we control), you have the right to withdraw your consent at any time, subject to any lawful requirements.
  • A brief summary of your rights are listed below, but we suggest you contact your employer for full details on how they intend to manage these processes.

Your right

What does it mean?

Limitations and conditions of your right

Right of access

Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”).

If possible, you should specify the type of information you would like to see to ensure that the disclosure meets your expectations.

We must be able to verify your identity. Your request may not impact the rights and freedoms of other people or be manifestly unfounded or excessive (Art 57).

Right to data portability

Subject to certain conditions, you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.

 

If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.

This right only applies if the processing is based on your consent and it covers only the personal data that has been provided to us by you.

Rights in relation to inaccurate personal or incomplete data

You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help your employer keep your personal information up to date and we encourage you to notify them of any changes regarding your personal data as soon as they occur. Please also contact GoodShape if you suspect that any of the data we control is inaccurate or incomplete.

This right only applies to your own personal data and you cannot request changes to another person’s personal data. When exercising this right, please be as specific as possible.

Right to object to or restrict our data processing

Subject to conditions, you have a right to object to or ask your employer and GoodShape to restrict the processing of your personal data.

As stated above, this right applies where our processing of your personal data is necessary for our legitimate interests.

Right to erasure

Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.

As your employer is the Data Controller for your personal data you would need to direct this request to them. They will in turn direct GoodShape to delete your personal data where appropriate. Please note that we may not be in a position to erase your personal data if we need it to comply with a legal obligation.

Right to withdrawal of consent

As stated above, where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.

If you withdraw your consent, this will only take effect for future processing. You will also need to direct this request to your employer, who may cite legal or legitimate reasons to continue processing your personal data.

  • If you wish to exercise any of these rights please contact your appropriate individual (usually a Data Protection Officer) at your employer.
  • You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/
11. Our legal basis for data processing


GoodShape is registered with the Information Commissioners Office and has taken great care to ensure that a legal basis can be established for the processing of the above data.

Lawful purposes:

Ref Lawful basis
1 Data subjects have given their explicit consent to the processing
2 It is necessary for the performance of a contractual obligation
3 It is necessary for GoodShape to comply with a legal obligation
4 It is necessary in order to protect the vital interests of the data subject or of another natural person
5 It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6 It is necessary for the purpose of the legitimate interests pursued by the controller or a third party

 

GoodShape's legal basis:

The table below indicates which of the 6 legal basis applies to each piece of data processed or controlled by GoodShape:

Ref Data Type Collected from Controller 1 2 3 4 5 6
1 Employee ref Mandatory Your employer Your employer - -
2 First name Mandatory Your employer Your employer -
3 Surname Mandatory Your employer Your employer -
4 Date of Birth Optional Your employer Your employer -
5 Gender Optional Your employer Your employer -
6 Hard of hearing status Optional Your employer Your employer -
7 Work phone number Mandatory Your employer Your employer - -
8 Work email address Mandatory Your employer Your employer - -
9 Position reference number Optional Your employer Your employer - -
10 Position job title Optional Your employer Your employer - -
11 Contracted hours/days Mandatory Your employer Your employer - -
12 Employment type Optional Your employer Your employer - -
13 Employment start date Mandatory Your employer Your employer - -
14 Absence start date Mandatory You Your employer - -
15 Absence end date Mandatory You Your employer - -
16 Absence type Mandatory You Your employer -
17 Disclosed absence reason Optional You Your employer -
18 Withheld absence reason Optional You GoodShape √*
19 Absence time lost Mandatory You Your employer - -
20 Fit note dates Optional You Your employer -
21 Current symptoms/illness Optional You GoodShape √*
22 Medical history Optional You GoodShape √*
23 Current medications Optional You GoodShape √*
24 Allergies Optional You GoodShape √*
25 Contact telephone number for GoodShape communications Optional You GoodShape
26 Contact telephone number for passing on to your employer Optional You Your employer -
27 Contact Telephone Number for identification purposes Optional You GoodShape
28 IP address (only processed if you have access to the web portal) Situational You GoodShape -
29 Call recording Mandatory You GoodShape
30 Security question and answer Mandatory You GoodShape -
31
Disability
Optional
Your employer
Your employer
-
32
Personal email address
Optional You
GoodShape
33
Lifestyle advice
Optional GoodShape Nurse
GoodShape
√*
34
Postcode
Optional
Your employer
Your employer
35
Employee file note
Optional Your employer Your employer
36
Return to work interview form
Optional Your employer Your employer
37
Wellbeing referral decision
Optional Your employer Your employer
38
Absence monitoring stage
Optional Your employer Your employer
39
Absence monitoring notes
Optional Your employer Your employer
40 Care Plan Task Log Situational You GoodShape - - -
41 Wellbeing Conten Usage Situational You GoodShape - - -

* Right to withdraw consent unavailable due to information being necessary for the legitimate interests pursued by the controller and being of vital interest to the data subject themselves.

Special Category Data

GoodShape process the following special category data:

Ref: Data: Type: Collected From: Controller:
17 Disclosed Absence Reason** Optional You Your employer
18 Withheld Absence Reason** Optional You GoodShape
21 Current Symptoms/Illness** Optional You GoodShape
22 Medical History** Optional You GoodShape
23 Current Medications** Optional You GoodShape
24 Allergies** Optional You GoodShape
33 Lifestyle Advice** Optional GoodShape Nurse GoodShape

Where information is processed by GoodShape as a Data Processor, the lawful basis for processing data includes:
  • GDPR Art.9(2)(a) Data subject has given explicit consent
  • GDPR Art.9(2)(b) purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employmentSchedule 1 Part 1(1) (Data Prot. Act 2018) - Employment, social security and social protection) 
Where information is processed by GoodShape as a Data Controller, the lawful basis for processing data includes:
  • GDPR Art.9(2)(a) Data subject has given explicit consent
  • GDPR Art.9(2)(b) purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment
  • Schedule 1 Part 1(1) (Data Prot. Act 2018) - Employment, social security and social protection
  • GDPR Art.9(2)(h) Health or social care
  • Schedule 1 Part 1(2)(a) (Data Prot. Act 2018) – preventive or occupational medicine
  • Schedule 1 Part 1(2)(b) (Data Prot. Act 2018) – the assessment of the working capacity of an employee
  • Schedule 1 Part 1(2)(d) (Data Prot. Act 2018) – the provision of health care or treatment
  • Schedule 1 Part 1(2)(f) (Data Prot. Act 2018) – the management of health care systems or services or social care systems or services
Additional Considerations:
  • GoodShape are registered with the Information Commissions Officer.
  • GoodShape has in place an Information Security Management System (ISMS) which can demonstrate compliance with the six principles of the General Data Protection Regulations (GDPR).
  • GoodShape’s ISMS and processes have been reviewed by Eversheds for legal appropriateness and legitimate reasons exists for the processing of data.
  • None of the data recorded by GoodShape is used in automated decision-making or telemarketing.
  • GoodShape remains a Data Processor for all information provided to it by the client.
  • GoodShape is a Data Controller for the medical advice it provides, enabling it to confirm with the regulatory requirements of the Nursing and Midwifery Council (NMC)
  • The Data Subject (i.e. employees calling GoodShape) retains full control over the dissemination of their Sensitive Data, which will not be disclosed to any party without the employee’s consent.
12. Updates to this notice


We may update this notice from time to time to reflect changes to the type of personal data that we process and/or the way in which it is processed. We will update you on material changes to this notice during your first call to GoodShape following the update.

13. Data subject access requests and queries 


If you wish to make a Data Subject Access Request or exercise any of the other rights listed above, or have any questions about the fair processing of your data at GoodShape, please direct them to: dpo@GoodShape.com

 

Version 29 - Date Updated: February 27, 2023