This is a Privacy Notice - also known as a Fair Processing Notice. It applies equally to substantive staff, Bank staff, volunteers and public participants. 

It should not be confused with the Privacy Statement which concerns the use of this website.

This page describes how the Trust uses and manages the information it holds about its staff, including how the information may be shared with other organisations, and how the confidentiality of staff information is maintained.

Personal data is information that relates to a living individual who can be identified from that data.

The Trust is registered with the Information Commissioner's Office as a Data Controller: reference Z4953683.

The Trust holds personal information about its staff (including substantive staff, Bank staff, volunteers and public participants) for employment-related purposes and to allow the Trust to provide our services in an effective, safe and professional way.

The processing is necessary for the contracts that the Trust holds with its staff and in order to comply with UK employment law, as well as complying with our obligations as a care provider and public authority.

The GDPR which came into force in May 2018 will continue to operate in UK law after the UK exits the EU (European Union).

This will not affect your rights, your contract of employment or the information that is processed about you.

Please see below for further details.

To ensure that the NHS at local, regional or national level is getting the most from the public purse, workforce information is used to support the development of a Workforce plan, as part of the Strategic Workforce Planning Workstream.

This is done under Article 6(1) (e) 'processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller'  (please see the Strategic Workforce Programme section below).  

The Trust may rely on 'legitimate interests' where the processing is deemed necessary for either your or GWH's legitimate interests or unless there is a good reason to protect an individual's personal data which overrides those legitimate interests.

This may include, but is not limited to, monitoring the use of Trust systems or apps.

The Trust shares staff information with a range of organisations or individuals for a variety of lawful purposes, including:

  • Disclosure to data processors - e.g. to companies providing archive storage of personnel records under contract to the Trust
  • Public disclosure under Freedom of Information - e.g. requested names or contact details of senior managers or those in public-facing roles
  • Disclosure of job applicant details - e.g. to named referees for reference checks, to the Disclosure and Barring Service for criminal record checks, to named GPs for health checks, to housing agencies for staff relocation or accommodation
  • Disclosure to employment agencies - e.g. in respect of agency staff
  • Disclosure to banks and insurance companies - e.g. to confirm employment details in respect of loan/mortgage applications/guarantees, with individual consent
  • Disclosure to professional registration organisations - e.g. in respect of fitness to practice hearings;
  • Disclosure to occupational health professionals (subject to explicit consent)
  • Disclosure to police or fraud investigators - e.g. in respect of investigations into incidents, allegations or enquiries, or in response to a court order 

Confidential staff information is only shared with other organisations where there is a legal basis, when one of the following applies:

  • When there is a statutory duty to share staff data
  • When there is a statutory power to share staff data
  • When the employee has given their explicit consent to the sharing

The National Fraud Initiative (NFI) is an exercise that matches electronic data within and between public and private sector bodies to prevent and detect fraud.

From 2017/18, NHS bodies were added to the mandatory list of responders.

The core datasets include payroll data.

For a list of what is uploaded, please see: Payroll.

For 2020, the Trust is required to take part in the National Flu Vaccination Programme which is led by NHS England.

Information needs to be shared as part of this programme.

If you would like to see what information is being used and the lawful basis for using it, then please see the  NHS England website: National Flu Vaccination Programme.

During the pandemic, information about vaccination status of staff was collected and where necessary, it was stored nationally on secure approved systems. This was to support the response the Covid-19. Data Protection Impact Assessments were completed at this time.

The decision to make vaccinations a condition of employment has now been reversed and therefore the data that was being shared by GWH has stopped. The Trust will continue to maintain local records of vaccinations for our staff. This will be managed in the same way as we maintain occupational health records of staff and will be processed similar to seasonal flu vaccines data. We need to keep this data to ensure that we offer vaccines to the right people and to ensure safe care of our staff. This information will be stored in accordance with the Records Management Code of Practice 2021 and data protection legislation.  

To accelerate waiting list reductions and deliver sustainable elective recovery, GWH need to increase the visibility of performance across all its elective theatres.

This will include sharing of consultant names with a third party to analyse the data. A data protection impact assessment has been conducted and data will be used only for the duration of the contract and will be deleted once it is no longer needed.

The Trust is using Alert Cascade as an emergency response system.

This system will be used primarily to push alerts and notifications to staff on their personal mobiles and/or email addresses at times of extreme pressure or crisis. 

On some occasions during emergencies, the Trust may request that staff respond with information about themselves to aid the Trust's operational response to the emergency.

While we would encourage staff to respond to these messages, they are optional and you can choose not to respond or provide any data. 

In the event that data is sent, this will be held at one of three server locations on the Alert Cascade system; in the UK, Dublin or Frankfurt.

The host site has been assessed as secure and hold both Cyber Essentials Plus accreditation and also ISO27001 security standards.

Data sent will only be used for the purposes of planning the Trust's response to the emergency and your data will not be used for any other purposes.

On commencement of employment with the Trust, your personal data will be uploaded to the Electronic Staff Record (ESR).

ESR is a workforce solution for the NHS which is used by the Trust to effectively manage the workforce leading to improved efficiency and improved patient safety.

In accepting employment with the Trust, you accept that the following personal data will be transferred under the streamlining programme if your employment transfers to another NHS organisation:

  • Personal information such as your name, date of birth and contact details
  • Recruitment information including qualifications, registrations with professional organisations, National Insurance (NI) Number, etc.
  • Payroll information
  • Assignment details (job role, department etc.)
  • Training records

Streamlining is the process by which certain personal data is transferred from one NHS organisation to another when your employment transfers.

NHS organisations have a legitimate interest in processing your data in this way in establishing the employment of a suitable workforce.

The streamlining programme is a data sharing arrangement which is aimed at improving efficiencies within the NHS both to make costs savings for Trusts but also to save you time when your employment transfers.

Developments in health and care services are driving organisations to work even more closely together to provide the best quality care, whilst achieving the greatest value for money.

It is widely recognised that the sharing of relevant data in a timely and secure manner supports the delivery of effective care. 

The Trust will support the development of a wider workforce plan, as part of the Strategic Workforce Planning Workstream, through the sharing of workforce information.

Data from organisations and providers across the whole health and social care economy within the BSW STP (Bath and North East Somerset, Swindon and Wiltshire Sustainability and Transformation Partnership) will be processed and used to establish the relationship between workforce capacity and service delivery.

This will use information held in the Electronic Staff Record (ESR) and will include data such as:

  • Job role
  • Division
  • Directorate
  • Speciality/Department
  • Mid-point of job pay scale

The Step into Health programme supports employers in the NHS to recruit from the Armed Forces community (e.g. service leavers, spouses, dependents) by providing tailored access routes to employment and training opportunities.   

As part of this work the team at NHS Employers provides tools, guidance and support to NHS organisations so they can engage with the Armed Forces community and therefore have a more representative workforce. 

For more information, please see the Step into Health Privacy Notice.

Your personal data will be retained by the Trust in accordance with the retention schedule outlined in the Records Management Code of Practice 2021.

Trust employees have the right to access personal information about them held by the Trust, either to view the information in person, or to be provided with a copy.

Staff members wanting to access their employment information should contact their Human Resources representative.

Requests are normally fulfilled within 30 calendar days of receiving the request in writing.

There is no charge for this unless the request is deemed to be manifestly unfounded, excessive or repetitive.

If we determine this to be the case we will notify you of this in writing. 

For employees who are also patients of the Trust, please see Health records.

CCTV (closed circuit television) is utilised to protect the safety of our patients, staff and members of the public.

The Trust's security services, including the use of CCTV, are managed by Serco.

The Tust remains the data controller of this data and any disclosures to third parties such as the police, will only be done with the permission of the Trust.

For safety and security reasons, the Serco security personnel will also be using body-worn video cameras while on duty; this follows a three-month trial period.

Recordings will not be continuous and security staff will make an announcement if they need to turn the cameras on.

To maintain privacy and dignity, recordings will not be permitted in areas of the hospital where examinations or procedures are being undertaken or if there is likely to be nudity.

Anyone present may object to the recording but will need to show the need for privacy outweighs the need to protect the general public.

Further information

For further information about this notice, or any other data protection matter please contact the Information Governance team:

Tel: 01793 605675

Great Western Hospitals NHS Foundation Trust
Marlborough Road

For further guidance concerning the General Data Protection Regulation and Subject Access Requests in general, please contact the Information Commissioner's Office website

Changes to our privacy notice

Any changes we may make to our privacy notice in the future will be posted on our website and on the intranet.  Where appropriate we will notify you by email.

Please check back frequently to see any updates.