This is a Privacy Notice - also known as a Fair Processing Notice. It applies equally to substantive staff, Bank staff, volunteers and public participants. 

It should not be confused with the Privacy Statement which concerns the use of this website.

This page describes how the Trust uses and manages the information it holds about its staff, including how the information may be shared with other organisations, and how the confidentiality of staff information is maintained.

Personal data is information that relates to a living individual who can be identified from that data.

The Trust is registered with the Information Commissioner's Office as a Data Controller: reference Z4953683.

Legal Basis for Processing of Personal Data

The Trust holds personal information about its staff (including substantive staff, Bank staff, volunteers and public participants) for employment-related purposes and to allow the Trust to provide our services in an effective, safe and professional way.

The processing is necessary for the contracts that the Trust holds with its staff and in order to comply with UK employment law, as well as complying with our obligations as a care provider and public authority.

The GDPR which came into force in May 2018 will continue to operate in UK law after the UK exits the EU (European Union).

This will not affect your rights, your contract of employment or the information that is processed about you.

Please see below for further details.

To ensure that the NHS at local, regional or national level is getting the most from the public purse, workforce information is used to support the development of a Workforce plan, as part of the Strategic Workforce Planning Workstream.

This is done under Article 6(1) (e) 'processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller'  (please see the Strategic Workforce Programme section below).  

The Trust may rely on 'legitimate interests' where the processing is deemed necessary for either your or GWH's legitimate interests or unless there is a good reason to protect an individual's personal data which overrides those legitimate interests.

This may include, but is not limited to, monitoring the use of Trust systems or apps.

How staff records may be used

The Trust shares staff information with a range of organisations or individuals for a variety of lawful purposes, including:

  • Disclosure to data processors - e.g. to companies providing archive storage of personnel records under contract to the Trust
  • Public disclosure under Freedom of Information - e.g. requested names or contact details of senior managers or those in public-facing roles
  • Disclosure of job applicant details - e.g. to named referees for reference checks, to the Disclosure and Barring Service for criminal record checks, to named GPs for health checks, to housing agencies for staff relocation or accommodation
  • Disclosure to employment agencies - e.g. in respect of agency staff
  • Disclosure to banks and insurance companies - e.g. to confirm employment details in respect of loan/mortgage applications/guarantees, with individual consent
  • Disclosure to professional registration organisations - e.g. in respect of fitness to practice hearings;
  • Disclosure to occupational health professionals (subject to explicit consent)
  • Disclosure to police or fraud investigators - e.g. in respect of investigations into incidents, allegations or enquiries, or in response to a court order 

Confidential staff information is only shared with other organisations where there is a legal basis, when one of the following applies:

  • When there is a statutory duty to share staff data
  • When there is a statutory power to share staff data
  • When the employee has given their explicit consent to the sharing

The National Fraud Initiative (NFI) is an exercise that matches electronic data within and between public and private sector bodies to prevent and detect fraud.

From 2017/18, NHS bodies were added to the mandatory list of responders.

The core datasets include payroll data.

For a list of what is uploaded, please see: Payroll.

For 2020, the Trust is required to take part in the National Flu Vaccination Programme which is led by NHS England.

Information needs to be shared as part of this programme.

If you would like to see what information is being used and the lawful basis for using it, then please see the  NHS England website: National Flu Vaccination Programme.

Vaccination status

From 1 April 2022, new regulations will come into force which will make it a condition of employment to have been vaccinated against COVID-19.

This applies to all patient-facing staff, unless proof of exemption has been provided.

In order to comply with the regulations and to ensure that the Trust delivers safe care to our patients, while also protecting them, our staff, visitors and other people from the virus, we need to ensure that we have complete and accurate records about our staff vaccination status (or proof of exemption).

Currently, when you have a vaccination, this is uploaded to national and/or regional systems.

As you have the option of receiving your vaccination elsewhere, the information is uploaded by that care provider and the Trust does not always hold your vaccination status.

Therefore, to ensure that we have complete records and so that we can comply with the regulations and provide safe care, we will need to extract this data onto a local system.

For existing staff, this will be done under Article 6(1)(e).

For any new staff who start after 1 April 2022, the lawful basis will be Article 6(1)(c).

For both existing staff and those starting after 1 April 2022, the special category data will be processed under Article 9(2)(b) and 9(2)(i).

The Trust already holds information about you in the personnel file and the data extraction will be for the vaccination status, dates, type of vaccine and NHS number only.

The data stored, whether extracted from a system or proof of exemption provided directly by you, will be considered part of the employment record and used to ensure that the Trust is compliant with the regulations to provide safe care to patients and to ensure that staff are compliant with the condition of their employment, if they are in patient-facing roles.

The vaccination data will be searched/extracted from the ‘NIVs (National Immunisation and Vaccination System) and NIMs (National Immunisation Management Service)’ and ‘VaccinationTrack’ systems for existing staff, and it will be asked at the pre-employment check phase for new staff.

The data will be deleted six years after employment finishes, in line with the retention period for personnel records in the Records Management Code of Practice 2021.

However, in the event that the vaccination status and process becomes part of the terms of reference for the UK Government Inquiry into the COVID-19 response then records may need to be stored for longer.

Data Protection Impact Assessments have been completed for the national NIVs and NIMs system, regional VaccinationTrack system and the local tool to store staff data at GWH.

These include the security of the system, uses of data, retention periods and lawful bases, among other things.

For more information on the systems used, please email the IG (Information Governance) team at gwh.info.gov@nhs.net.

Elective Theatre Performance & Forecasting Software Launch

To accelerate waiting list reductions and deliver sustainable elective recovery, GWH need to increase the visibility of performance across all its elective theatres.

This will include sharing of consultant names with a third party to analyse the data. A data protection impact assessment has been conducted and data will be used only for the duration of the contract and will be deleted once it is no longer needed.

Mass Messaging Alert System

The Trust is using Alert Cascade as an emergency response system.

This system will be used primarily to push alerts and notifications to staff on their personal mobiles and/or email addresses at times of extreme pressure or crisis. 

On some occasions during emergencies, the Trust may request that staff respond with information about themselves to aid the Trust's operational response to the emergency.

While we would encourage staff to respond to these messages, they are optional and you can choose not to respond or provide any data. 

In the event that data is sent, this will be held at one of three server locations on the Alert Cascade system; in the UK, Dublin or Frankfurt.

The host site has been assessed as secure and hold both Cyber Essentials Plus accreditation and also ISO27001 security standards.

Data sent will only be used for the purposes of planning the Trust's response to the emergency and your data will not be used for any other purposes.

Sharing Information held in the Electronic Staff Record

On commencement of employment with the Trust, your personal data will be uploaded to the Electronic Staff Record (ESR).

ESR is a workforce solution for the NHS which is used by the Trust to effectively manage the workforce leading to improved efficiency and improved patient safety.

In accepting employment with the Trust, you accept that the following personal data will be transferred under the streamlining programme if your employment transfers to another NHS organisation:

  • Personal information such as your name, date of birth and contact details
  • Recruitment information including qualifications, registrations with professional organisations, National Insurance (NI) Number, etc.
  • Payroll information
  • Assignment details (job role, department etc.)
  • Training records

Streamlining is the process by which certain personal data is transferred from one NHS organisation to another when your employment transfers.

NHS organisations have a legitimate interest in processing your data in this way in establishing the employment of a suitable workforce.

The streamlining programme is a data sharing arrangement which is aimed at improving efficiencies within the NHS both to make costs savings for Trusts but also to save you time when your employment transfers.

Strategic Workforce Programme

Developments in health and care services are driving organisations to work even more closely together to provide the best quality care, whilst achieving the greatest value for money.

It is widely recognised that the sharing of relevant data in a timely and secure manner supports the delivery of effective care. 

The Trust will support the development of a wider workforce plan, as part of the Strategic Workforce Planning Workstream, through the sharing of workforce information.

Data from organisations and providers across the whole health and social care economy within the BSW STP (Bath and North East Somerset, Swindon and Wiltshire Sustainability and Transformation Partnership) will be processed and used to establish the relationship between workforce capacity and service delivery.

This will use information held in the Electronic Staff Record (ESR) and will include data such as:

  • Job role
  • Division
  • Directorate
  • Speciality/Department
  • Mid-point of job pay scale

Step into Health

The Step into Health programme supports employers in the NHS to recruit from the Armed Forces community (e.g. service leavers, spouses, dependents) by providing tailored access routes to employment and training opportunities.   

As part of this work the team at NHS Employers provides tools, guidance and support to NHS organisations so they can engage with the Armed Forces community and therefore have a more representative workforce. 

For more information, please see the Step into Health Privacy Notice.

Retention

Your personal data will be retained by the Trust in accordance with the retention schedule outlined in the Records Management Code of Practice 2021.

Staff access to their information

Trust employees have the right to access personal information about them held by the Trust, either to view the information in person, or to be provided with a copy.

Staff members wanting to access their employment information should contact their Human Resources representative.

Requests are normally fulfilled within 30 calendar days of receiving the request in writing.

There is no charge for this unless the request is deemed to be manifestly unfounded, excessive or repetitive.

If we determine this to be the case we will notify you of this in writing. 

For employees who are also patients of the Trust, please see Health records.

Security

CCTV (closed circuit television) is utilised to protect the safety of our patients, staff and members of the public.

The Trust's security services, including the use of CCTV, are managed by Serco.

The Tust remains the data controller of this data and any disclosures to third parties such as the police, will only be done with the permission of the Trust.

For safety and security reasons, the Serco security personnel will also be using body-worn video cameras while on duty; this follows a three-month trial period.

Recordings will not be continuous and security staff will make an announcement if they need to turn the cameras on.

To maintain privacy and dignity, recordings will not be permitted in areas of the hospital where examinations or procedures are being undertaken or if there is likely to be nudity.

Anyone present may object to the recording but will need to show the need for privacy outweighs the need to protect the general public.

Further information

For further information about this notice, or any other data protection matter please contact the Information Governance team:

Tel: 01793 605675
Email: gwh.info.gov@nhs.net

Great Western Hospitals NHS Foundation Trust
Marlborough Road
Swindon
SN3 6BB

For further guidance concerning the General Data Protection Regulation and Subject Access Requests in general, please contact:

The Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF 

Tel: 0303 123 1113 or 01625 545745

Or please see the Information Commissioner's Office website

Changes to our privacy notice

Any changes we may make to our privacy notice in the future will be posted on our website and on the intranet.  Where appropriate we will notify you by email.

Please check back frequently to see any updates.