Privacy at Boots
As a Boots Worker , you already know the importance of protecting our customers’ privacy and personal information, but our responsibility doesn’t end there; it extends to your personal information too.
From your very first day as a Boots Worker to your last, and even after you’ve left, we use information about you to help us manage your employment and run our business. Without your personal information Boots couldn’t fulfil its duties as an employer so we can’t always give you the same choice we give our customers about their information. That makes it all the more important for us to give you confidence that your information is in safe hands and set clear expectations about privacy in the workplace.
This policy tells you the type of information we hold, how we use it and how that might affect your privacy.
Our Promise to You
We make the same promise to our Workers that we make to our customers: “Boots is committed to protecting your privacy. We believe in using your personal information to make things simpler and better for our Workers and our customers. We will always keep your personal information safe and will never sell it to third parties. We’ll be clear and open with you about why we collect your personal information and how we use it. Where you have choices, we’ll explain them to you and respect your wishes.”
Who’s in control of your information?
Throughout this Policy, ‘we’ or ‘Boots’ means companies within the Walgreens Boots Alliance group, including subsidiaries, affiliates, joint ventures and franchises, and we may share your personal information between those companies both within and outside Europe, for the purposes described in this policy.
Whenever and however we use your information, we keep in mind that first and foremost it is your personal information, and we aim to minimise any impact on your privacy. We only share your information where we genuinely need to do so and with appropriate protections in place, and we will never use it for marketing without your consent.
You can also find useful information about Data Protection, what it means to you as an individual and how it applies to companies like Boots on the Information Commissioners Office (ICO) website, https://ico.org.uk/
Does this apply to you?
This policy applies to information about anyone permanently employed by Boots UK (including the Channel Islands and Isle of Man), Boots International, Boots Opticians or Boots Contract Manufacturing and includes those who work in Global Brands. There is a separate policy for colleagues employed by Boots in the Republic of Ireland.
The policy also applies if you’re with us on a temporary basis, including as a locum, contractor, temporary Christmas Worker or trainee, although the information we hold about you will be more limited. If you work in Boots but are employed by another company (e.g. as a premium brand consultant or security guard) it applies to your information too, although again what we hold would be minimal. Boots Opticians franchise practices and individual Global Brands such as Liz Earle or Sleek may hold their own colleague information but should apply standards in line with this policy.
The Information We Hold & Where it Comes From
Information We Get From You
Most of the personal information we hold is exactly what you would expect your employer to have and comes either directly from you (contact details, qualifications, previous employment etc.) or is created in the normal course of your work (e.g. your performance, training and absence). Some may come from external sources including recruitment or locum agencies or, if you’re a trainee, apprentice or student, from your training provider. If you hold a professional qualification or accreditation, we may verify information with your accrediting or regulatory body, which may provide information about you; and if your Boots career began in a pharmacy, opticians practice later taken over by Boots, or in one of our individual Global Brands (such as Soap and Glory), we may have information from your former employer. If you are a contractor, we may obtain information from your employer or agency.
The systems and applications we use for ePayslips, eLearning, travel booking, claiming expenses and other tasks are another source of personal information. Some of these may be provided by external companies on our behalf such as Kallidus, Salesforce, and Northgate. When you first sign up or log in to our systems we or they will tell you who’s collecting your information and for what purposes. If you don’t have a Boots email address and use a personal email to log in to these systems, make sure you’re happy that the email account you’ve provided is sufficiently private for receiving work-related communications.
Photographs, Film and Audio
We use CCTV and, in some places, audio recording to help us protect our Workers , our customers and our business. Where we do so, we will always make it clear that recording is taking place.
We may also use CCTV to monitor store layout and product location as part of reviewing our commercial plan. It also helps us check that we’re fulfilling any contractual obligations to our suppliers, such as agreed product display or promotion. We have processes in place to ensure this type of monitoring is carried out appropriately and with minimum impact on our Workers’ privacy.
In some of our car parks Automatic Number Plate Recognition (ANPR) helps us monitor the use of our parking facilities and workplace parking scheme and to maintain a safe working environment. Building entry/exit systems collect personal information that helps us maintain the security of our premises. Where appropriate we may use both ANPR and building access information for time and attendance purposes and to assist in internal investigations.
We sometimes use photographs or video of Workers in internal or external communications and we’ll always let you know if we’re filming or taking photographs for this purpose so you can avoid being caught on camera if you prefer not to be. If we want to publish an image of you personally or show your full name with comments you’ve made, we’ll ask for your consent first.
Information We Collect Indirectly
Boots may use Mobile Device Management (MDM) or similar technologies which capture information from devices that connect to our systems. This can include your location and the networks you connect to. If you make personal use of your company device there may also be situations where Boots could access this information.
If you use a personal device to access Boots’ systems for work purposes you should be aware that if the device is lost or stolen, or you leave the company, Boots may attempt to remotely access it and wipe the work information from it. We do this as carefully as possible but technical constraints mean we may not be able to distinguish between work and personal information. For this reason we advise you to regularly backup any important personal information, and use browser-based access where possible to access company e-mails. (E.g. Outlook Web Access rather than the full Outlook client)
If you are a driver whose vehicle is equipped with an in-cab routing device, or if you use a handheld device to record your deliveries or manage tasks, these generate information that can allow your location to be tracked. When you are issued with your device you should be told how to manage it in a way that allows you privacy during breaks and other permitted personal time. If you’re unsure how to do this, please ask your line manager.
Where necessary for business support purposes or to ensure compliance with company rules we may monitor use of Boots communications networks, so communications you make through any company device, system or network should not be considered private, even if you mark them ‘confidential, ‘private’ or ‘personal’. This includes email, instant messaging, postal services, company or guest Wi-Fi and social media such as WhatsApp, Facebook or Pharmacy Unscripted. Remember that you also need to comply with the Social Media Policy in the way you use your own personal social media accounts outside work, and should adjust the privacy settings on each app or service if you want content to be private!
In some areas of our business, both in stores and support office functions, phone calls to and from landlines are recorded so should not be considered private.
How we Use your information
Managing our Business Legally, Efficiently and Responsibly
As well as the obvious things an employer needs to do, such as paying salaries and managing absence, we use your information to help us meet our legal obligations on things like tax, pensions and health and safety, and the requirements of regulators such as the General Pharmaceutical Council (GPhC). It may also be used to help us meet contractual obligations to suppliers and partners, and in essential functions like planning and forecasting or business continuity planning. Where relevant, we may also use it to monitor compliance with our internal policies and standards and those of our wider group.
Understanding our Workforce
Your personal information helps us understand the mix of skills and experience within our business which in turn enables us to plan recruitment, resourcing and training and provide workplaces that meet the needs of our colleagues. We may also look at the breakdown of our workforce by age, gender or nationality so we can provide safe, fair and inclusive working environments, but we never do this in a way that allows individual Workers to be identified.
Protecting our Workers, Our Customers and Our Business
We use your personal information to help us prevent and detect crime, maintain a safe environment for Workers and customers, protect our interests (and those of our suppliers and partners) and ensure that Boots property, premises, time and benefits are used appropriately.
Some information, like CCTV footage or the outcome of DBS (Disclosure and Barring Service) checks are collected specifically to help us do this, but where necessary for these purposes we may use any relevant personal information we hold or obtain about you as a Worker or as a customer including, but not limited to, the types of information detailed in this policy. We may supplement it with information from external sources, including crime/fraud prevention databases and organisations, the Electoral Roll, Companies House, social media and any publicly available information. We will always conduct monitoring and investigations legally, with appropriate authorisation and internal controls in place, and with due regard to your privacy.
Talking to You
We generally use internal communication channels to talk to you but there may be times when we need to reach you personally so it’s important we have accurate contact information. Please let your manager know of any changes to, or errors in, the details we hold about you.
We may consolidate the personal information we hold about you across different internal systems to give us the most up-to-date details, and if we need to contact you about something important related to your employment but don’t have a designated personal e-mail address for you, we may use an e-mail address you’ve given us elsewhere. You’ll always be able to change this later but please make sure – particularly if you do not have a Boots e-mail address – that any personal e-mail account you give in any work system is private enough to receive occasional work-related communications.
Testing and Research
Sometimes we invite Workers to take part in pilot schemes or ‘Proof of Concept’ exercises for new projects, and if you work in an IT function we sometimes ask for volunteers willing to use their personal details in testing our systems. We appreciate the help Workers give with these important functions but participation is always voluntary. If you do volunteer to help, we’ll explain at the outset how your information will be used and what will happen to it at the end of the trial or test. If the outcome will be a live account or service in your name, you’ll be made aware of this before you agree to take part. If we undertake any ‘mystery shopping’ activities, they will be carried out in a way that does not identify individual Workers and access to the information captured will be restricted to those involved in analysing the results. It will only be shared in an identifiable way if we believe patient or Worker safety is at risk or if there is evidence of misconduct or criminal activity.
Sharing your information Outside WBA
Companies That Provide Services for Boots
We may share your personal information with companies within and outside Europe that provide services on our behalf, for example payroll providers, travel bookers and external auditors. We only work with reputable organisations and always take steps to make sure they give your information the same level of care and protection as Boots, wherever in the world it is being processed. This will be through the use of data sharing agreements, Standard Contractual Clauses or adequacy decision by the relevant regulatory body more information about data transfer outside of the European Economic Area can be found on the ICO website mentioned above.
Companies You Have a Relationship With
Where applicable, we may share information about you with training providers or assessors, locum agencies, suppliers of services such as benefit providers, accrediting/regulatory bodies, government funding bodies and other similar organisations. If you are employed by an external company or an employment agency, we may share information with them. This could be for a number of reasons such as legal or contractual. It may also be in your best interest to share your data with training providers for example in order to maintain an accreditation.
The Police and Other Official Bodies
We may share information with the police or other law enforcement bodies for the prevention and detection of crime or where we reasonably fear for your safety or that of another person. We’ll also share relevant information with the police where we are informed that you may have committed an offence using company property, such as speeding in a company car. It is our policy not to respond to requests from the police unless and until they provide us with valid documentation.
Where the law requires or allows us to, we may share your information with external bodies such as HM Revenue and Customs, national fraud prevention organisations, local authorities, regulatory bodies, debt collection and tracing agencies, advisers, auditors and insurers. We do this to protect our rights and interests and those of our suppliers and partners, comply with legal proceedings and assist in regulatory investigations. Be assured that when we receive a request for information from any external body, we check that it is legally valid before responding and always aim to minimise the impact on your privacy.
Changes to our Business
If ownership of all or part of our business changes or we undergo a reorganisation, merger or transfer within Walgreens Boots Alliance companies, we will transfer your personal information to the new owner or Successor Company so we can continue to provide employment. Where the law permits, and with due regard to your privacy, we may share some details during pre-contract negotiations.
Freedom of Information Requests
From time to time Boots receives requests under Freedom of Information legislation for information about our NHS activities. While this does not normally include information about individual Workers, there may be times when it does, and it is our policy not to disclose personal information unless we have your consent or are required by law to do so.
More Sensitive Matters
Supporting our Workers
In the course of your Boots career, we may occasionally need to know more sensitive information about your health and wellbeing, lifestyle or financial circumstances. We only collect this kind of information where it is strictly necessary for a specific purpose which we’ll make clear to you at the time, and if we need to use it in any other way we will seek your consent first. In general, we’ll only need to collect sensitive information like this if you use one of the support services available to you as a Worker, and privacy and confidentiality are at the heart of all these services. Rest assured that we don’t use sensitive information for profiling or making decisions about individual colleagues.
Our employee assistance programme, Lifeworks, is provided by an external company which doesn’t share your personal information with Boots unless you give your explicit consent. Boots does not receive or have access to information that would allow us to identify individual users of the service. We receive only aggregated information for billing purposes and to help us ensure we’re offering support services that are effective and accessible.
If we are concerned about your wellbeing (for example, if you are involved in a serious incident at work) we may proactively pass your details to Lifeworks and ask them to contact you to offer support, but we will not be told about any contact that takes place.
If you are assessed or treated by Colleague Health, your information is held securely by the Colleague Health team. It is not combined with other information Boots holds about you and is not shared within or outside Boots without your consent unless we believe your health or safety, or someone else’s, is at risk.
Applications to the Boots Benevolent Fund are assessed anonymously, and your personal details remain confidential to the team members handling your application. We take steps to ensure that your application is not handled by a colleague known to you, and ‘Benny Fund’ records are held separately and never shared within or outside Boots unless you give your consent.
Nationality, Ethnicity and Gender
As a company that welcomes colleagues from many different backgrounds, we will ask you for details of your nationality, residence status or eligibility to work in the UK or ROI to satisfy our legal requirements, and where we do this, we’ll tell you why we’re asking for it. Where the law requires us to share details outside Boots, we’ll do so in a way that minimises the impact on your privacy.
We collect information about your racial or ethnic origin, sexuality and religion only where necessary to help us comply with Diversity and Equality law and provide fair and inclusive working environments. This information is always optional, so you don’t have to provide it if you prefer not to, but be assured that we hold and use it anonymously. If you give us information about your ethnicity, sexuality, religion or politics in connection with a query or grievance, we’ll use it only for the purpose of investigating and resolving that particular matter.
In line with our Dignity at Work Policy, where you provide us with information about your gender, we will treat it with respect and use it only for the specific purpose for which we collected it (for example, to fulfil our legal obligation to HMRC with regard to pay, tax and National Insurance).
Apart from the ways detailed here, we do not use any of the information we hold (or may be able to infer from other details we know about you) about your ethnicity, nationality, religion, political opinions or trade union membership in an identifiable way without your explicit consent. We do not use information about gender, racial or ethnic origin, religion, sexuality, political opinions or trade union membership to make employment or career management decisions.
Some systems may require you to provide biometric data, such as finger print scans, to verify your identity for time-keeping, building access or authorisation purposes. Such information will be stored securely in the appropriate system and will not be disclosed or used for any other purpose.
You as a Customer
We use staff discount card and Advantage Card usage to identify which customers are also Workers, but your Worker and customer records remain separate except to the extent that we need to link them to monitor use of the Worker discount scheme and other benefits, and for the purposes detailed in the section above, headed ‘Protecting Our Colleagues, Our Customers and Our Business’. Prescriptions or other clinical information we hold about you in pharmacy, opticians or HearingCare services are treated the same as those of any patient and remain separate.
We do not market to you directly as a Worker or use the personal information we hold about you as a Worker (other than your staff discount card usage) for marketing-related purposes. Staff offers and promotions we make available to you as a Worker are not individually-targeted and we deliver them via desk-drop or intranet.
If you have an Advantage Card and have agreed to receive marketing, the fact that you’re a Worker will affect the offers and information we send to you as a customer and also to any second cardholder on your staff discount card. We may include Workers in, or exclude them from, certain customer marketing campaigns so we can keep them relevant and personalised. For example, we avoid sending you as a Worker a voucher for something you’re already entitled to as a colleague, such as a free eye check. Sometimes we also make slightly different offers available to our colleague and non-colleague customers.
Please be assured that we will not send you marketing as a customer unless you have given your consent, and remember that you can change your marketing preferences at any time.
To help us improve the Worker benefits we offer, we may look at information such as the number of Workers who do not have or use an Advantage Card or Boots.com account, but we do this in a way that does not identify individuals.
How long do we keep your information?
How long we keep your information depends on the purpose for which we originally collected it. We hold it as long as we need it to carry out that purpose, meet our obligations and protect our rights and interests. Timescales vary but, for legal and regulatory purposes, most personal details need to be held for 6 years after you leave Boots. We keep them secure and don’t use them for any other purpose. Where an external company handles your information for us, we permit them to hold it only in line with our timescales and to fulfil any legal or regulatory obligations they may have.
Staying in control of your information
We respect the fact that your personal information is your information. If you would like a copy of it, to amend it, delete it or request that Boots stop processing it please contact the Colleague Administration Support Service on email@example.com. We’ll respond to your request within 30 days and may ask you for further information or proof of identity
If you have any concerns about the way Boots uses your personal information you should speak to your line manager in the first instance. You may also contact the Data Protection and Privacy Officer.
The following roles and teams have explicit remit in relation to personal information:
The Data Protection and Privacy Officer, firstname.lastname@example.org has overall accountability for data protection and privacy across Boots and manages Boots relationship with the relevant regulators.
The Records Manager, karen.henshaw@Boots.co.uk is responsible for data retention standards across the company.
Subject Access Requests and Rights
Subject access requests for all workers, including leavers and retirees are handled by the Colleague Administration Support Service, who can be reached on email@example.com
The Information Security & Compliance (ISC) Team is responsible for setting, implementing and monitoring information security standards. firstname.lastname@example.org manages the Operational Enforcement team in ISC.
This policy was issued in May 2018 . We will review and update it from time to time so we recommend that you check back here occasionally. If we make changes we think may affect you significantly we’ll notify you by the most appropriate medium so you know about the changes before they happen.