Staff privacy notice

Last updated: 11 January 2022

Gloucestershire Hospitals NHS Foundation Trust is registered as a data controller with the Information Commissioner’s Office (ICO) as part of the Data Protection Act 2018. We’re committed to collecting, storing and processing personal information in line with UK Data Protection Law and the General Data Protection Regulation (GDPR).

The Trust will keep your records as defined within the Corporate Records Management Policy and Retention Schedule.

For the purposes of this privacy notice, the term ‘staff’ includes:

• applicants
• employees
• workers, including agency, casual and contracted staff
• volunteers
• trainees
• apprentices
• work experience placements

We reserve the right to update this privacy notice at any time, and we’ll notify you with a new privacy notice if we make any substantial updates. From time to time, we may also let you know about the processing of your personal information in other ways.

Types of information we collect

Personal information

This is information that identifies you, like your name or contact details.

It’s important that the personal information we hold about you is accurate and up to date. Please let us know if your personal information changes during your working relationship with us.

If any changes are required please let us know by contacting your line manager in the first instance or emailing the HR Department.

Special category personal information

Some of the information we collect is special category data, or sensitive data, which can include:

• your race or ethnicity
• religious beliefs
• trade union membership
• health, including physical and mental health
• sexual orientation and gender
• criminal convictions
• disabilities

Extra safeguards are applied to special category information, and we must be able to demonstrate a legitimate reason to hold and use it.

Coronavirus (COVID-19) self isolation

In addition to information relating to your health, the Trust may also collect and process information relating to coronavirus (COVID-19) self isolation status, to help with workforce planning and ensure continuity of services.

The lawful basis will be GDPR Article 6(1)(e), that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (the provision of statutory health care services).

The exemptions in GDPR Article 9(1)(g) and 9(2)(h) will be applied, that processing is necessary for matters of substantial public interest or for the management of health care systems. The conditions in paragraphs 2 (management of health care systems) and 3 (public health) are engaged.

Laws on information processing

The Trust will only process your personal information where we are able to do so by law, under the legal basis available through the Data Protection Act 2018 and General Data Protection Regulation 2016 (GDPR).

The legal bases we use most often to collect information are:

• entering into and managing our employment contract
• legal obligations where processing is necessary for compliance, for example, informing HMRC of your tax and National Insurance contributions
• when considering employees’ rights as potential members of the Trust
• where the Trust may rely on its legitimate interests, where a formal assessment has been made and recorded

Where we process sensitive personal or special categories of data about you, we will ensure this is done only where one of the following conditions applies:

• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller, or the data subject, in the field of employment and social security and social protection law
• processing is necessary for the purposes of preventive or occupational medicine, assessment of the working capacity of the employee, or the provision of health or social care

If you require further information about the legal basis for any specific aspect of processing please email the Data Protection Officer.

When we collect information about you

If you apply for a job

When you apply for a position with the Trust, you will give us relevant information about you which includes:

• personal contact details
• details of your skills, qualifications, employment history, experience, and professional membership (if relevant), and training history
• referee details

If you are invited to interview

During recruitment and selection, we will collect additional information like:

• correspondence, interview notes, and results of any tests you’re asked to complete as part of the selection process
• copies of qualifications and certificates
• pre-employment checks, including referees
• your nationality and immigration status, to confirm your eligibility to work in the UK
• your national insurance number, tax and bank details
• details of your pension
• remuneration, including salary and entitlement to benefits
• trade union membership
• criminal record
• ethnicity, gender, health, religion or sexual orientation
• medical history relevant to your employment, including physical health, mental health and absence history
• publicly available information, like your social media presence

If you become an employee

If you are employed by us, we may collect additional information like:

• your image, for security and ID badges
• education and training history
• appraisal and performance reviews
• security and audit data when you use Trust IT equipment and systems, including the use of NHS smart cards, and when you use your own computer or device to access Trust systems including device identifiers and IP addresses
• your performance, sickness absence and other work related matters
• CCTV recordings when you’re on Trust premises
• personal data recorded as a normal part of your work activity
• data relating to employee relations, like disciplinary proceedings or complaints

Why we collect your information

We will use your information to administer your employment and associated functions. Your information may be shared between relevant colleagues who need the information to carry out their duties, like your line manager or HR teams.

We use staff data to meet our legal obligations as an employer, which include:

• recruitment and selection
• compliance with visa requirements
• maintaining staff records, including payroll, benefits, corporate travel and other reimbursable expenses, development and training, absence monitoring, performance appraisal, conduct, management progress, disciplinary and grievance process and complaints, pensions administration, and other general admin and human resource related processes
• monitoring equal opportunities
• payment of trade union membership fees
• providing facilities, like IT systems access, library services and car parking
• preventing and detecting crime, like using CCTV and photo ID badges
• communicating about the Trust, including news and events
• maintaining patient health records, in line with the Trust’s clinical records keeping standards
• managing safe environments and fitness to work
• managing human resources process, like sick pay, managing absence, parental leave, and workforce planning
• occupational health and wellbeing services
• service quality monitoring
• maintaining contact with former employees
• Managing and monitoring network and systems access including cyber security and forensic requirements

We maintain electronic and paper records that relate to your recruitment and employment. This information is held by the HR team and locally, with your line manager. All paper files are securely stored and only relevant staff will be able to access this information.

Electronic information is accessed on a need to know basis, using the Trust’s ESR and other systems. Some information may be held on the Trust’s secure electronic drives, where access is only granted to appropriate individuals.

2020 Staff Advice and Support Hub

When you call the Hub we may record your contact details, and information about the issues you have raised and about any advice or support you have been given, or referred to.

We record this information in order to provide advice and to manage the service, including any future contact with you. Information about the matters raised will be kept separate from information that identifies you and may be used to analyse and improve the service.

The information will be kept confidential and access will only be available to authorised Hub staff. Information which identifies you will not be shared with any other person without your consent unless this is necessary for legal and regulatory purposes.

The legal basis for processing is our legitimate interest in providing a confidential advice and support service for the welfare of our staff.

Data sharing with third parties

We may disclose personal and sensitive information to a variety of recipients when:

• there’s a legal obligation to share
• it’s necessary for the performance of your employment contract
• you have consented to the sharing

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances, and with the appropriate security controls in place. Information is only disclosed to those agencies and bodies who have a need to know, when there is a lawful basis to do so.

Your Trust contact details may be shared where there is a legitimate reason to do so and this is appropriate to your role and responsibilities, and recipients may include:

• our employees, agents and contractors where there is a valid reason for them receiving the information
• professional and regulatory bodies in relation service reviews and the confirmation of conduct, including complaints, job description and information provided as part of the recruitment process
• government departments and agencies where we have a statutory obligation to provide information, like HMRC and the Department of Health
• third parties who work with us to provide staff support services, like counselling
• crime prevention or detection agencies, like the police and security organisations
• the Parliamentary and Health Service Ombudsman
• internal and external auditors
• courts and tribunals
• trade union and staff associations
• relatives or guardians of an employee
• NHS Business Services Authority

Every year, the NHS is required to participate in the National Fraud Initiative (NFI). As part of this, we provide payroll information for data matching. Data matching involves comparing sets of data, such as payroll or benefits records of an organisation, against other records held by the same or another organisation. Find out more from the NFI Privacy Notice.

NHS Business Service Authority

The Trust also shares employee records information with the NHS Business Services Authority, which acts as a data processor for the Trust.

The information you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records. It’s stored on the national NHS Electronic Staff Record (ESR) system.

Electronic staff record (ESR)

When you start your employment with the Trust, your personal data will be uploaded into the ESR system. IBM, who provide ESR, and its partners as service providers will be responsible for maintaining the system. This means that they may occasionally need to access your staff record, but only to ensure that the ESR works correctly.

Where this happens, access will be limited and is only to allow any problems with the computer system to be investigated and fixed as necessary. IBM and its partners will not have the right to use this data for their own purposes, and contracts are in place with the Department of Health to ensure that the data is protected and that they only act on appropriate instructions.

IBM and the ESR Central Team may access anonymised data about transactions on the ESR system in order to support the development and optimal use of the system.

Data Warehouse

Some of your personal information from ESR will be transferred to a separate database, known as the Data Warehouse. This will be used by various Government and other bodies to meet their central and strategic reporting requirements. It will allow them to access certain personal information to generate the reports that they need and are entitled to.

The Data Warehouse is intended to provide an efficient way of sharing information. Organisations currently granted access to the Data Warehouse are:

• NHS Digital
• NHS Employers
• Health Education England and its local committees (LETBs)
• Deaneries
• Department of Health
• Welsh Government
• NHS Wales Shared Services Partnership
• Care Quality Commission
• NHS Trust Development Authority
• Monitor

The Government may allow further organisations to have access in the future and therefore an exhaustive list cannot be provided, however any organisation having access to your data will have a legal justification for access.

NHS flu and COVID-19 vaccination programmes

The Trust provides data on all staff to NHS Digital as required by the Secretary of State for Health exercising the public health functions under section 2 of The National Health Services Act 2006. 

This includes: 

• name 
• address 
• employee number 
• date of birth 
• gender 

The purpose is to administer and implement the National Immunisation Vaccination Service (NIVS) (flu and COVID-19) immunisation programmes for NHS staff.  The implementation of this service delivers a centralised data capture tool for clinical teams delivering the seasonal flu and COVID-19 immunisation and is an essential component of NHS England’s response to the COVID-19 pandemic.  Particulars of staff receiving immunisation are also provided to NIVS as part of the program. For further information see the NHS England and NHS Digital Privacy Notices.  Where staff have received COVID-19 immunisation elsewhere, the Trust may receive information about this from NIVS or the National Immunisation Management System (NIMS) used by GPs.

Staff immunisation status is recorded on the NHS Electronic Service Record (ESR) or Trust agency worker checklist and may be shared with managers and supervisors for the purpose of service planning and assessing suitability for employment, having regard to any requirement to be vaccinated when employed in a CQC regulated activity. Immunisation status may also be shared with other healthcare providers for that purpose.   

The lawful basis for processing immunisation status is: 

• necessary for the performance of the employment contract with particular respect to any requirement to be vaccinated when employed in a CQC regulated activity 
• necessary for compliance with the legal obligation in R17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to maintain such records as are necessary to be kept in relation to persons employed in the carrying on of a regulated activity 

Information may be shared between providers of regulated services for the purposes of the legitimate interests of both parties in complying with the above requirements. All processing of immunisation status falls within Art 9 (2)(h) UK GDPR – necessary for the management of health or social care systems and services.

Other NHS organisations

To streamline staff movement, we may share your information if you accept an offer with another NHS organisation, or your employment transfers or is seconded to another NHS organisation.

The following information may be shared if there is a legitimate business interests of the two organisations to do so:

• personal data to verify who you are, like your name, date of birth, address, NI Number
• employment Information to allow for correct pay and annual leave and sickness entitlements, like your position, salary, and dates of any sickness
• training compliance and competency dates, to reduce the need to repeat nationally recognised training and statutory and mandatory training

This information will be shared via the Inter Authority Transfer (IAT) which is the secure process where information is transferred from one NHS employer to another.

Other processors

The Trust uses specialist processors for tasks like:

• workforce planning and analytics
• case management
• expenses claims

Information may also be processed on behalf of the Trust by Gloucestershire Managed Services.

This will always be carried out using a contractor compliant with Article 28 of the GDPR, and with appropriate guarantees of confidentiality.

Your rights

When it comes to personal data held about you by the Trust, you have the right to:

• request access
• request the correction of inaccurate or incomplete information, subject to certain safeguards
• request that your information is deleted or removed where there is no need for us to continue processing it, and when the retention time has passed
• to ask that we restrict the use of your information, based on personal circumstances
• to withdraw your consent for the collection, processing and transfer of personal information for a specific purpose
• to object to how your information is used
• to challenge automated decision making

Further information about these rights can be obtained from the Information Commissioner's Office.

How to access your personal data

If you require copies of personal information held by the Trust, speak to your line manager.

If this is not appropriate or you’re not satisfied with the response, you can contact the legal services department on 0300 422 3160. They will be able to advise you further and obtain copies of central or locally held personnel files, and ensure appropriate personal information is disclosed.

More information

If you have any further questions on the uses of your information, please contact your line manager or you can email the Human Resources team or email the Trust’s Data Protection Officer.

If we can’t resolve your concern, you have the right to lodge a complaint with the Information Commissioner's Office