Under GDPR Skills for Care rely on the condition that "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller". Skills for Care is collecting the data on behalf of DHSC who have responsibilities for strategic workforce planning for health and social care.
For employers they can rely on lawful processing under GDPR where it is "necessary for the purposes of legitimate interests pursued by the controller or a third party, (except where such interests are overridden by the interests, rights or freedoms of the data subject)". Skills for Care can also rely on this ground in addition to the public interest ground.
For special categories of data (ethnicity and disability) employers will be able to rely on the fact that "Processing is necessary for carrying out obligations under employment, social security or social protection law". Skills for Care will also be able to rely on this condition as the processing is necessary to assist in the monitoring of the fulfilment of obligations under employment law (i.e. equal opportunity and diversity monitoring).
Does Skills for Care or employers need consent from the workers (data subjects) whose personal information is being collected?
No. As can be seen above neither employers nor Skills for Care need to rely on consent of the data subjects i.e. for the processing of their data but they should be informed why and how their data is being processed by their employers. Skills for Care also has three privacy notices informing workers why and how their data is being processed by Skills for Care.
How does all of this affect Skills for Care's analysis of the data?
The data that Skills for Care analyse has been pseudonymised i.e. the individual cannot be identified in the output analysis files from the ASC-WDS data base. The date of birth and National Insurance number are used within the data base to produce a unique identifier (through an algorithm) for the worker record that means the worker cannot be identified. Any published analysis is aggregated data e.g. a data analysis across an Area. This means that no individual can be identified.
Can Skills for Care share the raw data sets with researchers or others with a legitimate interest?
If Skills for Care share data from the ASC-WDS for statistical research purposes i.e. pseudonymised data sets then it will be done so subject to a data sharing agreement (DSA) signed by both Skills for Care and the organisation it is being shared with. The DSA will cover the intended use of the data, how the anonymity of the data subjects will be safeguarded, destruction of the data when no longer needed, and publication of any further secondary analysis (i.e. Skills for Care's right to have sight prior to publication and to comment on whether the conclusions drawn are reasonable).
Is Workplace data (e.g. from a residential care home) derived from ASC-WDS such as average pay levels or number of actual occupants personal data?
No, but it is likely to be commercially sensitive and therefore will be strictly protected by Skills for Care.
What about Workplace contact details?
This is not personal data or commercially sensitive and is in the public domain e.g. through the Care Quality Commission register or advertisements.