Privacy Notice for Staff

Coronavirus (COVID-19) update

During the coronavirus (COVID-19) pandemic, the Trust is using and sharing data for public health purposes.

For additional information, please see Supplementary Privacy Notice for Patients: Coronavirus (COVID-19).

This is a Privacy Notice - also known as a Fair Processing Notice.

It should not be confused with the Privacy Statement which concerns the use of this website.

This page describes how the Trust uses and manages the information it holds about its staff, including how the information may be shared with other organisations, and how the confidentiality of staff information is maintained.

Personal data is information that relates to a living individual who can be identified from that data.

The Trust is registered with the Information Commissioner's Office as a Data Controller: reference Z4953683.

Legal Basis for Processing of Personal Data

The Trust holds personal information about its staff for employment-related purposes.

The processing is necessary for the contracts that the Trust holds with its staff and in order to comply with UK employment law.

The GDPR which came into force in May 2018 will continue to operate in UK law after the UK exits the EU (European Union).

This will not affect your rights, your contract of employment or the information that is processed about you.

Please see below for further details.

To ensure that the NHS at local, regional or national level is getting the most from the public purse, workforce information is used to support the development of a Workforce plan, as part of the Strategic Workforce Planning Workstream.

This is done under Article 6(1) (e) 'processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller'  (please see the Strategic Workforce Programme section below).  

The Trust may rely on 'legitimate interests' where the processing is deemed necessary for either your or GWH's legitimate interests or unless there is a good reason to protect an individual's personal data which overrides those legitimate interests.

This may include, but is not limited to, monitoring the use of Trust systems or apps.

How staff records may be shared

The Trust shares staff information with a range of organisations or individuals for a variety of lawful purposes, including:

  • Disclosure to data processors - e.g. to companies providing archive storage of personnel records under contract to the Trust
  • Public disclosure under Freedom of Information - e.g. requested names or contact details of senior managers or those in public-facing roles
  • Disclosure of job applicant details - e.g. to named referees for reference checks, to the Disclosure and Barring Service for criminal record checks, to named GPs for health checks, to housing agencies for staff relocation or accommodation
  • Disclosure to employment agencies - e.g. in respect of agency staff
  • Disclosure to banks and insurance companies - e.g. to confirm employment details in respect of loan/mortgage applications/guarantees, with individual consent
  • Disclosure to professional registration organisations - e.g. in respect of fitness to practice hearings;
  • Disclosure to occupational health professionals (subject to explicit consent)
  • Disclosure to police or fraud investigators - e.g. in respect of investigations into incidents, allegations or enquiries, or in response to a court order
  • Disclosure to research sponsors or lead organisations, where the Trust is participating in research. Data may include names, contact information, work experience and professional qualifications, publications, educational background and/or information relating to payments made. This will be done with consent.

Confidential staff information is only shared with other organisations where there is a legal basis, when one of the following applies:

  • When there is a statutory duty to share staff data
  • When there is a statutory power to share staff data
  • When the employee has given their explicit consent to the sharing

The National Fraud Initiative (NFI) is an exercise that matches electronic data within and between public and private sector bodies to prevent and detect fraud.

From 2017/18, NHS bodies were added to the mandatory list of responders.

The core datasets include payroll data.

For a list of what is uploaded, please see: Payroll
(https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/723586/Final-Payroll-Data-Spec-18-19.pdf).

For 2020, the Trust is required to take part in the National Flu Vaccination Programme which is led by NHS England.

Information needs to be shared as part of this programme.

If you would like to see what information is being used and the lawful basis for using it, then please see the  NHS England website: National Flu Vaccination Programme (www.england.nhs.uk/contact-us/privacy-notice/national-flu-vaccination-programme).

Mass Messaging Alert System

The Trust is using Alert Cascade as an emergency response system.

This system will be used primarily to push alerts and notifications to staff on their personal mobiles and/or email addresses at times of extreme pressure or crisis. 

On some occasions during emergencies, the Trust may request that staff respond with information about themselves to aid the Trust's operational response to the emergency.

While we would encourage staff to respond to these messages, they are optional and you can choose not to respond or provide any data. 

In the event that data is sent, this will be held at one of three server locations on the Alert Cascade system; in the UK, Dublin or Frankfurt.

The host site has been assessed as secure and hold both Cyber Essentials Plus accreditation and also ISO27001 security standards.

Data sent will only be used for the purposes of planning the Trust's response to the emergency and your data will not be used for any other purposes.

Sharing Information held in the Electronic Staff Record

On commencement of employment with the Trust, your personal data will be uploaded to the Electronic Staff Record (ESR).

ESR is a workforce solution for the NHS which is used by the Trust to effectively manage the workforce leading to improved efficiency and improved patient safety.

In accepting employment with the Trust, you accept that the following personal data will be transferred under the streamlining programme if your employment transfers to another NHS organisation:

  • Personal information such as your name, date of birth and contact details
  • Recruitment information including qualifications, registrations with professional organisations, National Insurance (NI) Number, etc.
  • Payroll information
  • Assignment details (job role, department etc.)
  • Training records

Streamlining is the process by which certain personal data is transferred from one NHS organisation to another when your employment transfers.

NHS organisations have a legitimate interest in processing your data in this way in establishing the employment of a suitable workforce.

The streamlining programme is a data sharing arrangement which is aimed at improving efficiencies within the NHS both to make costs savings for Trusts but also to save you time when your employment transfers.

Strategic Workforce Programme

Developments in health and care services are driving organisations to work even more closely together to provide the best quality care, whilst achieving the greatest value for money.

It is widely recognised that the sharing of relevant data in a timely and secure manner supports the delivery of effective care. 

The Trust will support the development of a wider workforce plan, as part of the Strategic Workforce Planning Workstream, through the sharing of workforce information.

Data from organisations and providers across the whole health and social care economy within the BSW STP (Bath and North East Somerset, Swindon and Wiltshire Sustainability and Transformation Partnership) will be processed and used to establish the relationship between workforce capacity and service delivery.

This will use information held in the Electronic Staff Record (ESR) and will include data such as:

  • Job role
  • Division
  • Directorate
  • Speciality/Department
  • Mid-point of job pay scale

Step into Health

The Step into Health programme supports employers in the NHS to recruit from the Armed Forces community (e.g. service leavers, spouses, dependents) by providing tailored access routes to employment and training opportunities.   

As part of this work the team at NHS Employers provides tools, guidance and support to NHS organisations so they can engage with the Armed Forces community and therefore have a more representative workforce. 

For more information, please see the Step into Health Privacy Notice (https://login.militarystepintohealth.nhs.uk/privacy).

Retention

Your personal data will be retained by the Trust in accordance with the retention schedule outlined in the Records Management Code of Practice for Health and Social Care 2016.

Staff access to their information

Trust employees have the right to access personal information about them held by the Trust, either to view the information in person, or to be provided with a copy.

Staff members wanting to access their employment information should contact their Human Resources representative.

Requests are normally fulfilled within 30 calendar days of receiving the request in writing.

There is no charge for this unless the request is deemed to be manifestly unfounded, excessive or repetitive.

If we determine this to be the case we will notify you of this in writing. 

For employees who are also patients of the Trust, please see Your health record.

Security

CCTV (closed circuit television) is utilised to protect the safety of our patients, staff and members of the public.

The Trust's security services, including the use of CCTV, are managed by Serco.

The Tust remains the data controller of this data and any disclosures to third parties such as the police, will only be done with the permission of the Trust.

For safety and security reasons, the Serco security personnel will also be using body-worn video cameras while on duty; this follows a three-month trial period.

Recordings will not be continuous and security staff will make an announcement if they need to turn the cameras on.

To maintain privacy and dignity, recordings will not be permitted in areas of the hospital where examinations or procedures are being undertaken or if there is likely to be nudity.

Anyone present may object to the recording but will need to show the need for privacy outweighs the need to protect the general public.

Further information

For further information about this notice, or any other data protection matter please contact the Information Governance team:

Tel: 01793 605675
Email: gwh.info.gov@nhs.net

Great Western Hospitals NHS Foundation Trust
Marlborough Road
Swindon
SN3 6BB

For further guidance concerning the General Data Protection Regulation and Subject Access Requests in general, please contact:

The Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF 

Tel: 0303 123 1113 or 01625 545745

Or please see the Information Commissioner's Office website (www.ico.org.uk). 

Changes to our privacy notice

Any changes we may make to our privacy notice in the future will be posted on our website and on the intranet.  Where appropriate we will notify you by email.

Please check back frequently to see any updates.

Report a problem with this web page

Please contact us at gwh.webmaster@nhs.net and we'll put it right.

Translate this page: