What is a Privacy Notice?
This is the Privacy Notice (also known as a 'Fair Processing Notice') for the University Hospitals of North Midlands NHS Trust. (UHMM), who is a data controller and therefore is able to decide the purposes for which any personal information is used.
- What information we collect about you
- Why we collect information about you
- How we use your information
- Who we may share your information with
- How long we store your information
A copy of the Privacy Notice, Accounts and Expenditure information and Policies can be found via the Trust's Publication Scheme by clicking on the link further down the page below. A paper copy can also be provided on request.
This page deals with identifiable information, legislated under the Data Protection Act (2018). If you wish to make a Freedom of Information Request (i.e. corporate, non-identifiable information, please click HERE
How We Protect Your Information:
- UHNM complies with the Data Protection Act 2018 and the Information Commissioner's registration requirements
- UHNM has to provide information for staff and patients about how it manages and handles identifiable data.
- The Data Security & Protection team are available to answer any queries. You can contact the team here - DSP.UHNM@uhnm.nhs.uk
- An information leaflet is available to download and can be kept as a reference guide - How We Use Your Personal Information. This information can also be provided verbally if requested, by contacting the PALS team using this link - contact the PALs team.
- If you wish to make a Complaint about the service you have received at UHNM you can do so by contacting the Complaints Team by using this link - contact the Complaints Team.
Version Control - v2 - 19.03.21
Contact Information for UHNM, Data Controller:
Royal Stoke University Hospital
Tel: 01782 715444
UHNM is registered to process personal and sensitive information under the Data Protection Act 2018
registration number is Z7476085
Page version control - v2 - 19/03/21
The Secretary of State for Health and Social Care has directed NHS Digital to collect and analyse data from providers and other organisations involved in managing the COVID-19 response.
This will help to manage and mitigate the spread and impact of the current outbreak of Covid-19. Sharing information more widely with other organisations will help to support planning and management of the response.
Organisations are required to process confidential patient information. If this is COVID 19 related, it will only be processed solely for COVID 19 in accordance with the Regulation 7 of COPI (which remains in force until March 2022)
- Understanding Covid-19 and risks to public health.
- Understanding the trends in Covid-19 and any risks.
- Controlling and preventing the spread of Covid-19 and any risks.
- Identifying and understanding information about patients or potential patients with or at risk of Covid-19.
- Understanding information about incidents of patient exposure to Covid-19.
- Management of patients with or at risk of Covid-19 including:
- Monitoring patients and collecting information including providing services in relation to:
- Fitness to work.
- Medical and social interventions.
- Recovery from Covid-19.
- Understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of Covid-19. This would include the availability and capacity of those services or that care.
- Monitoring and managing the response to Covid-19 by health and social care bodies and the Government including providing information to the public about Covid-19 and its effectiveness.
- Information about:
- Supplies and services including the workforce within the health services.
- Adult social care services.
- Delivering services and providing information in connection with Covid-19 to patients, clinicians, health services, adult social care services workforce and the public. This includes fit notes, the provision of health care and adult social care services and research and planning.
This notice is effective until 30th September 2021 and then may be extended further.
A Supplementary Privacy Notice has been drafted to cover the fair processing of data (including staff data in respect of COVID-19 testing) during COVID-19 and it can be found here.
As a result of COVID 19, UHNM have made arrangements to allow in-patients and their relatives to be able to communicate through a ‘face time’ option from the ward. Relatives and patients will also be given the opportunity to pass on messages through the PALS team by clicking on this link. Contact the PALs team.
Clinicians may use digital technology to conduct patient consultations and ward rounds. All technology is secure. Patient confidentiality will be maintained throughout.
Page version control - v5 - 23/09/21
The National Health Service and Community Care Act 1990 is the Trust’s source of 'Official Authority'.
To process personal information, UHNM needs to have a legal basis to do so. The main purpose is to process personal information in order to support healthcare activities. This is explained in Article 6 (lawfulness of processing) as part of the UK General Data Protection Regulation and Article 9 (processing of special categories of personal data).
The legal basis for using your data is dependent upon what we need to do with it. These include:
- Consent – To process your personal data, we need to obtain your consent. Where consent is the legal basis for processing, patients should be aware that they are able to withdraw that consent at any time.
- Contract – This is required to be in place with an individual, for example, a member of staff.
- Legal Obligation – This is necessary for UHNM to comply with the law.
- Vital Interest – This is necessary to protect someone's life.
- Public Task – This is necessary to perform a task in the public interest or for official functions. The task or function has a clear basis in law.
- Safeguarding concern, If there is a safeguarding concern, data may need to be shared.
For the purpose of providing you with healthcare, the Trust relies on:
- Article 6(1)(e) - processing is necessary for the purposes of a task carried out in the public interest or in the authority of official authority vested in the data controller.
- Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment.
For research/auditing programmes looking at the outcomes/effects of COVID treatment, the Trust is using:
- Article 9(2)(i) Public Health - processing is necessary for reasons of public interest in the area of public health. This includes protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices on the basis of Union or Member State law.
Currently, the UK is experiencing a national emergency as a result of Corona Virus or Covid-19. As a health Trust we are required to provide information to the Government in relation to our patients and Covid-19.
UHNM is allowed to do this legally as a result of Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (COPI).
Where the confidential patient information to be processed is required for a Covid-19 purpose. It will only be processed solely for that Covid-19 Purpose in accordance with Regulation 7 of COPI.
Further information on this can be found on the Covid-19 details above.
Below are your rights as identified by the Data Protection Act 2018 in relation to the personal data that we hold.
If you wish to exercise any of these rights, please contact the Data Security & Protection Team at email@example.com or by telephoning: 01782 676441.
The Trust will acknowledge your request within 2 days of receipt, explaining the process and projected timescale for completion.
UHNM will advise of any updates to this timescale if required.
As data subjects (both patients and staff), you have the right to:
- Access – You have the right to ask UHNM for copies of the personal information that is held about you. Details about how to do this are included in the section ‘How to Access your Information’.
- Rectification – You have the right to ask UHNM to correct any information you think is inaccurate or incomplete. This is subject to certain safeguards however, for more information please click here
- Erasure – You have the right to ask UHNM to erase your information in special circumstances. For more information about this please click here
- Restrict processing – You have the right to limit the way UHNM uses your personal data. If you are concerned about the accuracy of the data or how it is being used where appropriate, click here for more information here
- Object to processing – You have the right to object to the use of your information in certain circumstances. For more information please click here
- Data portability – You have the right to ask that UHNM to transfer any electronic information you have given to another organisation in certain circumstances.
- Automated processing - You have the right NOT to be subject to decision-making on the basis of any automated processing and you have the right to withdraw your consent to the processing/sharing of your information.
Page Version Control - v3 - 19/03/.21
UHNM has appointed a Data Protection Officer who is responsible for information and advising on data protection regulations and national law. The Data Protection Officer can be contacted by email at DPO.UHNM@uhnm.nhs.uk
Version Control - v2 - 19/03/21
The Trust undertakes Data Protection Impact Assessments (DPIA) on any projects which require the use of identifiable information.
These are available to view via the Freedom of Information process by contacting FOI@uhnm.nhs.uk
Version Control - v2 - 19/03/21
UHNM holds personal information on you in a variety of formats. These include paper records, electronic records and video/audio files. Patients who access from their own devices via secure Apps is also held.
Data is collected for patients as listed below, however any further data which may be of a more sensitive nature is called special category data.
- Names, including preferred or maiden name.
- Telephone number(s).
- Date of birth.
- NHS number.
- Email address.
- Your next of kin contact details.
- GP details.
- Power of Attorney status.
- Financial details, where we provide healthcare to private patients.
- Visual images, personal appearance and behaviour, for example CCTV images, images captured from drones and body-worn cameras are used as part of building security.
- Whether you are subject to any protection orders regarding your health, well-being and human rights (safeguarding status).
- Emergency Department Appointment Data, taken from NHS Digital's Emergency Department Digital Integration system (further details on this system can be found here).
- Healthcare records which include:
- Notes and reports about treatments and care.
- Details regarding any contact we have had through appointments, telephone calls and home visits.
- Details regarding medical conditions (physical and mental health) for both our patients and, on occasions and subject to patient consent, patients from other Trusts.
- Results of investigations, for example x-rays and laboratory tests.
- Future / current care needs.
- Details regarding agencies, healthcare professionals and relatives involved in your care.
- Racial or Ethnic origin.
- Sexual orientation.
- Genetic and biometric information.
- Sex life information.
- AV files, for internal and external use for both training and marketing purposes. This information will ONLY be shared with the data subject's EXPLICIT consent.
- Summary Care Record
- Prior to your appointment, your NHS Summary Care Record (SCR) will be available to view by the hospital staff involved in your care, unless you have previously opted out of having an SCR. Your SCR contains important information from your GP record including Health & Social Care Information Centre medications, allergies and any bad reactions to medicines. This information may also be added to the information held within the Integrated Care Record (One Health & Care) and further details of that can be found here
- Personal Demographic Service (PDS)
- The PDS is a tracing service which helps healthcare professionals to identify patients and match them to their health records. It also allows them to contact and communicate with patients in a number of ways, including by text and email. Further information about PDS can be found here
On occasions the Trust is required to place an Alert on a patient's record to advise staff of any issues that they may need to be aware of when treating the patient, such as any access difficulties for example. These Alerts are part of a rigorous review procedure which includes the proportionality of the alert to comply with the requirements of the Human Rights Act (Article 8).
Information we hold and process for staff, volunteers, job applicants and others:
- Employee details, job applicants, apprentices, complainants, enquirers, survey respondents, suppliers, professional experts, consultants, people captured in closed circuit television images.
- Staff details to allow for the on-line processing of staff COVID vaccination appointments, utilising current technology to facilitate the appointment for example QR Code
- Information for job applicants for the purposes of processing their application and ensuring equality and patient safety.
- In order to comply with statutory requirements and to facilitate the running of the UHNM, staff, volunteers and apprentices information may be shared with third parties that provide services to the UHNM.
- Staff, Volunteers and apprentices information will be processed as part of their contract / agreement with the Trust. This will be fully explained by The Human Resources team and / or your manager.
- Staff, volunteers and job applicants can contact the Trust Human Resources department for further information on how their information is processed.
Personal and confidential information is collected to help us provide you with the best possible care. This information can come from your GP, referrals, healthcare professionals involved in your care and yourself.
If you apply for a job or are employed at UHNM, we will collect your personal information.
The information provided may be used to:
- Provide healthcare services and treatment.
- Provide chaplaincy and pastoral care services.
- Ensure that money is used properly to pay for the services it provides.
- Investigate complaints, legal claims or important incidents.
- Make sure services are planned to meet patients' needs in the future.
- Review the care given to make sure it is of highest possible standard.
- Manage specialised services.
- Improve the efficiency of healthcare services by sharing information with other organisations (sometimes non-NHS/Social care). These include Age UK, Revival and/or Vast, for example, for a specific, justified purpose which is approved by UHNM's Caldicott Guardian.
- Check and report to our regulators on how well we are performing.
- Provide patient survey's for service improvements.
- Research (consent will always be sought to use your data for this purpose).
- Manage service workload by e-mailing appointment reminders, for example (where we have been provided with an e-mail address).
- Access to the National Summary Care Record (SCR) - staff may often access SCR to review patient records prior to a patient presenting for an outpatient appointment.
Page version control - v3 - 03.12.21
Your health records may be held in both paper and / or electronic format. UHNM will keep your health records for specified periods of time in accordance with the Records Management Code of Practice for Health and Social Care 2016.
Although there are exceptions and certain conditions affecting the length of time, UHNM will keep a health record for an adult for a period of 8 years after the last entry. A child’s record is kept until he/she reaches the age of 26 years old.
Page version control - v2 - 19/03/21
In order to provide you with the best possible healthcare, your personal information may be shared with:
- Other NHS organisations, including other NHS Trusts, Ambulance Service, GPs, etc.
- Other NHS organisations who UHNM are collaborating with to provide joint services, for example, with NHSE for the Wayfinder App to enable all UHNM patients to see their outpatients appointment from the NHS App and the Integrated Care Record where UHNM is working collaboratively with other partners in the region (GP Practices, Local Authorities, other Hospital Trusts – Acute, Community and Mental Health) as well as Commissioning Groups to create an integrated care record which will contain data about all patients seen and treated at either of the UHNM Hospitals. This is not the full record but a snapshot of the data held to help clinicians to provide the most appropriate care. Also, the West Midlands Digital Pathology Network or the initiative developed by Stoke CCG to manage the healthcare of the city's Homeless. For further information, see the 'One Health & Care' link
- Non-NHS organisations that are involved in your care, for example: Social Services, Private Care Homes, Local Councils, Voluntary and Private Sector Providers, Charities, community pharmacies etc.
- Non-NHS organisations, with whom we have robust contractual arrangements who undertake services on our behalf for example Remote Monitoring of patients for the purposes of providing direct healthcare
- Non-NHS Organisations that we are mandated to share with for example Cancer Registries, Public Health Notifications, Renal Disease Registries
- Non-NHS organisations who may contact you if we feel that you will benefit from the services they offer - you are under no obligation to accept and any refusal will not affect future treatment or care by UHNM.
As part of a legal requirement, the Trust has a duty to share your information and includes, but is not limited to:
- Disclosure to the Police for the prevention and detection of crime.
- Prevention and detection of fraud.
- Disclosure under a Court Order.
- Disclosure & Barring Service – for employment/recruitment purposes.
- In the public interest to prevent abuse or serious harm to others.
- Our obligation under a Duty of Contract with:
- Clinical Commissioning Groups.
- NHS Digital.
- Public Health England.
- Care Quality Commission.
- Third parties contracted via NHS England.
- Other Commissioning Support Providers.
- National Immunisation Vaccination Service for Healthcare Workers (NIVs) - this is a NHS England initiative and further information can be found here.
- NHS111 (via a System called EDDI) which allows a patient to call to make an appointment at A&E. You can find out more information about NHS111 here.
- Evidence for External Accreditations (for example DSP Toolkit)
- National Congenital Anomaly & Rare Disease Registration Service - national survey managed by Public Health England
Sharing your personal information with other organisations is always governed by specific legislation and transferred in accordance with the requirements of the legislation and the NHS Confidentiality Code of Conduct, including the use of a Secure Portal.
If you choose to share your personal information with a third party this will not be processed by UHNM
If you have any questions regarding the sharing of your data please contact DPO.UHNM@uhnm.nhs.uk
As part of the treatment pathway for patients being treated for COVID within the Community, an agreement has been reached with Staffordshire Fire & Rescue Service whereby we share patient demographic details to allow the service to deliver medication to patients at home. This is to reduce the numbers of patients who have to attend the hospital.
In addition, due to the current Covid-19 restrictions on patient visiting, a process for patients' relatives and carers has been put in place so that you are able to receive up to date information.
The patient will be required to provide staff with a 'password' which friends and relatives can quote when ringing for updates. This will be explained to the patient on admission.
Alternatively, patients can contact the PALs team who will be able to provide the patient information update.
Page version control - v11 - 07.09.22
How to access your information
Under the Data Protection Act 2018 and the UK General Data Protection Regulation you can make a request for:
- A copy of all or a specific piece of information the Trust holds about you.
- How and why we process your information.
- Who we share your information with
For Data held in your health record:
For data held in your health record you will need to make a formal request to the Health Records team. Further information can be found on the Health Records page and Access to Health Records Leaflet.pdf
The team can be contacted at firstname.lastname@example.org
For Data held in your staff record:
Staff records need to be requested through your Line Manager or the HR Department.
For Data not held in your Health or Staff Record:
Certain information, such as emails held on the Trust servers, do not form part of your health or staff record and therefore any requests made as part of a Complaint or a general Subject Access request, will be dealt with by the relevant team who will liaise with the Information Security team.
Alternatively, a request can be made direct through the personal data request process by emailing PDR@UHNM.nhs.uk
Renal Patients are able to access their condition-specific information via a patient portal.
The Information Commissioners Office (ICO) is an independent body which regulates the Trust under Data Protection and Freedom of Information legislation.
The Trust is registered with the ICO
Registration Number - Z6476085.
Contact details for the ICO:
Information Commissioner's Office
Cheshire, SK9 5AF
Telephone: 0303 123 1113
Changes to this Privacy Notice
We will keep this privacy notice under regular review. Each page has its own version control identifying when the page was last updated.
The Information Commissioner's Office has made a statement about their working arrangements as a result of the COVID-19 Epidemic. You can read their updated information here.
Page version control - v2 - 19/03/21
How the NHS and care services use your information
UHNM is one of many organisations working in the health and care system to improve care for patients and the public.
Important information about you is collected in a patient record for that the service you are using, for example, Accident and Emergency or Services in the Community. Collecting this information helps to ensure you get the best possible care and treatment and can also be used and to provide other organisations with data for the purposes of your individual care. These include:
- Research into the development of new treatments.
- Preventing illness and diseases.
- Monitoring safety.
- Planning services.
This information and any patient confidential information will only be used when there is a clear legal basis to use it.
Most of the time, anonymised Data is used for research and planning is usually anonymised so that you cannot be identified and therefore your confidential patient information is not required.
You have a choice about whether you want your confidential patient information to be used in this way, and if you are happy with this, you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.
This web page includes:
- Explaining what is meant by confidential patient information.
- Examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.
- Benefits of sharing data.
- Understanding more about who uses the data.
- Finding out how your data is protected.
- Being able to access the system to view, set or change your opt-out setting.
- Details of contact telephone number(s and if you want to set/change your opt-out by phone.
- Situations where the opt-out will not apply.
Further details of how patient information is used is at:
- https://www.hra.nhs.uk/information-about-patients/This covers health and care research.
- https://understandingpatientdata.org.uk/what-you-need-know This covers how and why patient information is used, the safeguards and how decisions are made.
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes. Data is only used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place to enable compliance with the national opt out scheme which allows you to choose how your confidential patient information is used and shared for the purposes beyond your individual care.
Page version control - v2 - 19/03/21
UHNM is working collaboratively with other partners in the region (GP Practices, Local Authorities, other Hospital Trusts – Acute, Community and Mental Health) as well as Commissioning Groups to create an integrated care record which will contain data about all patients seen and treated at either of the UHNM Hospitals. Further information about One Health & Care can be found here. This is not the full record but a snapshot of the data held to help clinicians to provide the most appropriate care.
This will be a central library of information that each organisation can access (for their own patients only) so that clinicians will have a complete picture of a patients' needs, medications etc.
More information on this initiative can be found by reviewing the information leaflet which can be accessed by clicking the link here.
Page version control - v4 - 03.11.22
In some circumstances it may be necessary to transfer your personal information overseas. If this is required, information will only be shared within the European Economic Area (EEA) unless additional safeguards have been put in place to protect your information.
Any transfers that do take place will be made in full compliance with all aspects of Data Protection legislation and you will be informed by the Trust beforehand.
Page version control - v2 - 19/03/21
UHNM makes use of CCTV systems, including body worn cameras and images captured from drones. These are used as part of building security for crime prevention in line with the Information Commissioners CCTV code of practice. You have a right of access if you wish to request your data captured on CCTV.
Page version control - v2 - 19/03/21
If you have any questions about our Privacy Notice or information we hold about you, please contact:
Data Security & Protection Team, DSPUHNM@uhnm.nhs.uk
the Trust’s Data Protection Officer DPO.UHNM@uhnm.nhs.uk
If you would like to make a complaint about how your information is being used you can discuss your concerns with our Patient Advice and Liaison Service (PALS) Email: email@example.com) or you can contact our Complaints Department, email: firstname.lastname@example.org)
For further information please see the complaints leaflet.
Royal Stoke PALS office, situated inside the main building entrance
Monday to Friday between 9.00am and 4.00pm (excluding bank holidays).
Tel: 01782 676450 / 01782 676455 / 676435
County Hospital PALS office situated inside the main entrance is open
Monday to Friday 9:00am to 5:00pm (excluding bank holidays).
Tel: 08000 407060 / 08000 721 646
If you want to contact us in writing please use the below address:
Chief Executive OR Chief Nurse
University Hospitals of North Midlands
Royal Stoke University Hospital
The University Hospitals of North Midlands Trust is committed to the Freedom of Information Act 2000.
The NHS is facing unprecedented challenges relating to the COVID-19 at the current time and understandably our resources have been diverted to support our front-line colleagues who are working tremendously hard to provide care for our patients and to those in need of our services. During this time it is likely that responses to some requests for information may be delayed. We will endeavour to provide you with as much information as we can as soon as we can. UHNM continues to strive to be transparent and to work with an open culture. The Information Commissioner's Office has recognised the current situation in the NHS.
Page version Control - v3 - 07/09/23
UHNM will engage with other organisations on projects which may involve sharing patient data. Such sharing is always undertaken in a lawful way, according to the Data Protection Act (2018).
We include below links to the projects currently approved:
One Health & Care (an Integrated Care Record) - https://www.twbstaffsandstoke.org.uk/about-us/our-work/one-health-and-care
Patient Health Record (PHR) - This is part of the One Health & Care Integrated Care Record and allows the patient to access elements of their own record via an App - https://www.twbstaffsandstoke.org.uk/about-us/our-work/one-health-and-care/personal-health-record-privacy-notice
Team Prevent (for staff Occupational Health) - https://www.teamprevent.co.uk/storage/user/Privacy_Statement_TEAM_PREVENT.pdf
COVID-19 – Supplementary Privacy Notice - http://www.uhnm.nhs.uk/media/3369/supplementary-privacy-note-on-covid-19-for-patients.docx
Keele University - https://www.keele.ac.uk/privacynotices/privacynotice-students/
Smart with your Heart (NHS Test Bed project for Heart Failure patients; Cardiac Re-hab patients and Community Heart patients):
Florence 'FLO' - https://legal.mediaburst.co.uk/
Recap Health - https://health2works.com/privacy-policy/
NHS Secure Boundary - a service managed by NHS Digital to improve the detection of cyber security threats to NHS organisations' internet breakout traffic. -
Page Version Control - v7 - 09/06/22
UHNM uses a number of different methods to communicate with our patients which have been reviewed by the Data Security & Protection team. UHNM can assure patients that the most secure methods are used you will be made aware of which method before making contact.
- Writing to you.
- Text message. This may be used if a clinic appointment needs to be rescheduled and we need to contact you quickly.
- Email. This may be as part of the One Health and Care Project (see further information on this above) and Electronic appointment letters may be sent.
- Video conferencing. This is sometimes advantageous when staff are working remotely.
- Video Diagnosis - We may use video conferencing to help clinicians when making a diagnosis if the patient is not able to attend Clinic
- Secure App. You may be offered the opportunity to provide updated information via a secure app.
We may send electronic appointment letters or, on occasions, we may contact you by video conferencing. We may even offer you the opportunity to make contact with us to provide updated information via a Secure App which allows you to provide us with updated information.
If you have any questions about how we contact our patients, please contact that Data Security & Protection Team (DSPUHNM@uhnm.nhs.uk)
Page version control - v4 - 18/06/21
Now that the UK has formally left the EU, this has had an effect on the Trust's practices in terms of data being transferred to and from the EU.
The Trust's Data Security & Protection team have been following the Government's guidance (together with the guidance provided by the Information Commissioner's Office and NHS Digital) and has taken steps to assure itself that any data held off-shore (most usually via a Supplier's Cloud Storage arrangements) can be retrieved at any time.
Along these lines, the Trust is also making appropriate arrangements to provide assurance of data security for any information which may held (or processed) in the United States. Such processing is most usually an element of our contractual arrangements with Suppliers which may include maintenance support by those suppliers.
Page Version Control - v1 - 28.1.21
UHNM are pleased to offer patients the opportunity to sign up for Patients Know Best (PKB) - our patient information portal that gives you secure access to your medical information from any smartphone, tablet or computer.
It is intended that you will be able to:
- view all your hospital letters and appointments online
- see your test or radiology results
with other applications becoming available over time.
The service is provided in partnership with Patients Know Best (PKB).
You can find answers to some Common Questions, or learn more about the features of the PKB Patient System at Patients Know Best
Page Version Control - v1 - 15.11.22
V4.2 07 Feb 2019
University Hospitals of North Midlands NHS Trust ("the Trust") is committed to protecting the personal data of its employees. This Notice sets out important information about how the Trust ("the Trust" or "we" or "us") collect and use your personal data during the course of your employment and after your employment has ended.
This privacy notice is intended for employees of the Trust as well as bank workers, employees who have left the organisation, staff on honorary contracts, staff seconded into and out of the organisation, students, and people undertaking work experience at the Trust.
You should read this Notice carefully and raise any questions you may have with the HR Directorate (e-mail email@example.com) or Data Security and Protection (e-mail - DSPUHNM@uhnm.nhs.uk)
Scope of the Privacy Notice
In connection with your employment, the relevant Data Controller is the University Hospitals of North Midlands NHS Trust
Personal data means information which identifies you and relates to you as an individual.
As your employer, the Trust will collect, use and store your personal data for a wide variety of reasons in connection with the employment relationship.
Your personal details such as your name, address, telephone numbers, personal email address and date of birth, next of kin details in order to administer your employment, manage our business and ensure that we can contact you in an emergency
Terms and conditions of your employment
Your national insurance number, tax and bank details, in order to pay you and details of your pension in order to enrol you onto the relevant scheme
Information about your skills, qualifications, employment history, experience and (where relevant) professional membership, training history in order to verify your skills and to comply with our legal obligations
Your nationality and immigration status to confirm your eligibility to work in the UK
Information about your remuneration, including entitlement to benefits
Trade union membership
Information about any criminal record
Medical information relevant to your employment, including physical health, mental health and absence history - in order to monitor sick leave and take decisions about your fitness to work as well as whether or not you have a disability for which the Trust needs to make reasonable adjustments
Information relating to your health and safety at work, and any incidents or accidents
Equal opportunities monitoring information, including information about ethnicity, gender, health, religion or sexual orientation, in order to monitor our compliance with equality legislation
Details of your working patterns (days of work and working hours) and attendance at work to ensure correct pay
Details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave
Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you (including tribunal claims) and related correspondence
Assessments of your performance, including PDRs/appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
Photographs and visual images, personal appearance and behaviour, for example if CCTV images are used as part of building security and ID badges
The Trust collects this information in a variety of ways, for example:
Documents gathered during the recruitment process (including cv, application form, references, professional memberships and qualifications, background vetting information)
Documents maintained and updated during your employment relating to professional memberships and qualifications and statutory and mandatory training (including but not limited to professional revalidation) General employment records including details of training, disciplinary and grievance matters, benefits, holiday and other absences, along with a copy of your employment contract, performance records (including PDR/appraisal documentation) and compensation history*
Information gathered through the Trust's monitoring of its IT systems, building access records and CCTV recording
Personal records/documents such as your passport, driving license or other identity documents*
Forms completed by you at the start or during employment (such as new starter form, ID checks, OH referrals, PDR records) *
Correspondence with you; interview or other assessment records; in person (through meetings or over the telephone); survey forms, questionnaires or registration forms
Timesheets, rostering and other time and attendance records*
From third parties (previous employer; via recruitment systems ‘Trac’ and ‘NHS jobs’; pensions agency; information from employment background check providers; the Disclosure and Barring Service; professional bodies; medical and GP records; government bodies like HM Revenue and Customs, the Department for Work and Pensions, or the UK Visas and Immigration).
Personal data which you otherwise voluntarily provide, for example when using your Trust e-mail account
*Note: The personal data provided by you as listed above as * is mandatory in order for us to administer the employment relationship and/or comply with statutory requirements relating to immigration or taxation. Failure to provide mandatory personal data may affect our ability to accomplish the purposes stated in this Notice and potentially affect your ongoing employment.
The list set out above is not exhaustive, and there may be other personal data which the Trust collects, stores and uses in the context of the employment relationship. We will update this Privacy Notice from time to time to reflect any notable changes in the categories of personal data which the Trust processes.
The majority of the personal data which we process will be collected directly from you. In limited circumstances your personal data may be provided by third parties, such as former employers, official bodies (such as regulators or criminal record bureaus) and medical professionals.
On commencement of employment with the Trust, your personal data will be uploaded to the Electronic Staff Record (ESR). ESR is a workforce solution for the NHS which is used by the Trust to manage the workforce leading to improved efficiency and improved patient safety.
The Trust uses your personal data for a variety of purposes in order to perform its obligations under your employment contract, to comply with legal obligations or otherwise in pursuit of its legitimate organisational interests. We have set out below the main purposes for which employee personal data is processed:
the payment of wages and the administration of benefits under the employment contract
the day to day management of tasks and responsibilities
to manage and assess performance, including the conduct of annual PDR’s/appraisals
to consider eligibility for promotion or for alternative roles within the Trust to comply with legal requirements, such as reporting to HMRC or professional regulators
to address disciplinary and grievance issues with individual employees to protect the Trust's confidential and proprietary information, and intellectual property
to monitor the proper use of the Trust's IT systems to prevent fraud against the Trust and its clients to safeguard the interests of the Trust's patients
to comply with any statutory or regulatory obligations, including but not limited to information provided to the CQC, NHS England, NHS Improvement and regulators of clinical professionals such as the Nursing and Midwifery Council and General Medical Council
if an organisational transfer or change of ownership occurs
Again, this list is not exhaustive and the Trust may undertake additional processing of personal data in line with the purposes set out above. The Trust will update this Notice from time to time to reflect any notable changes in the purposes for which its processes your personal data.
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law
What special categories of personal data do we process?
Certain categories of data are considered "special categories of personal data" and are subject to additional safeguards. The Trust limits the special categories of personal data which it processes as follows:
The Trust may process information about an employee's physical or mental health in order to comply with its obligations in connection with employment, in particular to:
- administer sick pay entitlements - facilitate the assessment and provision of NHS Injury Allowance
- comply with obligations owed to disabled employees
- comply with patient care, health regulatory and health and safety obligations; - maintain a sickness absence record
- obtain Occupational Health advice and support from the Trust's external Occupational Health Service Provider
- to promote and improve the health, safety, welfare and wellbeing of employees
We will always treat information about health as confidential and it will only be shared internally where there is a specific and legitimate purpose to do so. We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorised access, use, alteration, or disclosure.
Health information will typically be retained in accordance with the Records Management: Code of Practice for Health and Social Care 2021, which can be accessed via the following link:
Disclosure and Barring checks/information (DBS)
Given the nature of our organisation, DBS requirements apply to all employees working in the Trust.
We are required to carry out DBS checks for all clinical roles, other regulated roles and for any roles that involve contact with patients in the course of their normal duties. In all cases, we carry out the checks in line with the applicable law.
For clinical and other regulated roles, DBS checks may be repeated periodically during the course of employment in line with Trust Policy and Procedure for the Disclosure and Barring Service Check
We will always treat DBS information as confidential and it will only be shared internally where there is a specific and legitimate purpose to do so. We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure.
- Retention of DBS: Once a recruitment (or other relevant) decision has been made, Disclosure information is retained for a period of up to six months, to allow for the consideration and resolution of any disputes or complaints. If, in very exceptional circumstances, it is considered necessary to keep Disclosure information for longer than six months, the Trust will consult with the Data Subject about this and will give full consideration to the data protection and human rights of the individual before doing so. Throughout this time, the usual conditions regarding the safe storage and strictly controlled access will prevail.
- Disposal of DBS: Once the retention period has elapsed, any Disclosure information is immediately destroyed by secure means. However, the Trust may keep a record of the date of issue of a Disclosure, the name of the subject, the type of Disclosure requested, the position for which the Disclosure was requested, the unique reference number of the Disclosure and the details of the recruitment decision taken.
Equal Opportunities Monitoring
The Trust is committed to providing equal opportunities in employment and career progression for all of its employees and from time to time it will process information relating to ethnic origin, race, nationality, sexual orientation and disability, alongside information relating to gender and age, for the purposes of equal opportunities monitoring and gender pay reporting.
We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorised access, use, alteration, or disclosure. In addition, this monitoring and reporting will always take place in accordance with appropriate safeguards as required under applicable law, including:
the provision of information relating to ethnic origin, race, nationality, sexual orientation and disability for the purposes of monitoring will be voluntary and processed for this purpose only;
the monitoring and reporting will be conducted on the basis of using anonymised data so individual employees cannot be identified;
When do we share employee personal data?
The Trust will share employee personal data with other parties only in limited circumstances and where this is necessary for the performance of the employment contract or to comply with a legal obligation, or otherwise in pursuit of its legitimate business interests as follows:
Background vetting specialists
Occupational health and staff support providers
National fraud initiative
Internal and external auditors
The Department of Health
Any applicable regulatory body
HMRC and/or any other applicable government body
Accountants, lawyers and other professional advisers
In cases not governed by regulation or legislation, the employee personal data is shared under the terms of a written agreement between the Trust and the third party which includes appropriate security measures to protect the personal data in line with this Notice and our obligations. The third parties are permitted to use the personal data only for the purposes which we have identified or as is permitted by law, and not for their own purposes, and they are not permitted to further share the data without our express permission.
As an employer within the National Health Service, the Trust may be required to share employee personal data with other Trusts from time to time for the purposes set out in this Notice. In particular, the Trust shares employee personal data for the purposes of facilitating cross-organisation clinical care; operational effectiveness; medical research, and for pre-employment checking purposes.
Occasionally, the Trust may be required to disclose employee personal data in response to Freedom of Information Requests. All staff should be aware that information regarding AfC staff at Band 7 and above will be released if requested. This applies to corporate / Trust information (i.e., work contact details) not personal information. AfC bands and job descriptions will be released for all Trust roles if requested. [DSP08 Freedom of Information Policy]
The Trust's policy is to retain personal data only for as long as needed to fulfil the purpose(s) for which it was collected, or otherwise as required under applicable laws and regulations. Under some circumstances we may anonymise your personal data so that it can no longer be associated with you. We reserve the right to retain and use such anonymous data for any legitimate business purpose without further notice to you.
The Trust is required to have records management procedures in place that cover the creation, filing, location, retrieval, appraisal, archive and destruction of records, in accordance with the Records Management: Code of Practice for Health and Social Care 2021
The Trust will always seek to process your personal data in accordance with its obligations and your rights.
You will not be subject to decisions based solely on automated data processing without your prior consent.
In certain circumstances, you have the right to seek the erasure or correction of your personal data, to object to particular aspects of how your data is processed, and otherwise to seek the restriction of the processing of your personal data. You also have the right to request the transfer of your personal data to another party in a commonly used format. If you have any questions about these rights, please contact your local Information Governance Officer using the details set out below.
You have a separate right of access to your personal data processed by the Trust.
If you want to see your personal data, you should, in the first instance, speak to your line manager. If your line manager is unable or unwilling to agree to the request, you can make a Subject Access Request by writing to the Director of Human Resources and including your:
Full name, address and contact details
Employee number and/or national insurance number
Details of the specific information required and any relevant dates.
The HR Directorate have a Standard Operating Procedure in place to ensure that Subject Access Requests are dealt with according to the requirements of the Data Protection Act and GDPR.
You may be asked for information to confirm your identity and/or to assist the Trust to locate the data you are seeking as part of the Trust's response to your request.
Finally, you have the right to raise any concerns about how your personal data is being processed with the Information Commissioner's Office (ICO):
ICO website: https://ico.org.uk/concerns/
Telephone 0303 123 1113 or
The HR Directorate oversees compliance with this Notice in conjunction with the Trust’s Information Governance Department to deal with any questions or concerns. If you would like further information about the matters set out in this Notice, please contact the Trust’s Information Governance Department or HR Directorate. Contact details are set out below:
Human Resources Email: firstname.lastname@example.org
Data Security and Protection Email: DSPUHNM@uhnm.nhs.uk
University Hospitals of North Midlands (UHNM) is required to provide you with details on the type of personal information which we collect and process. In addition to any other privacy notice which we may have provided to you, this notice relates to the information collected and processed in relation to the FPPT.
The FPPT in ESR is commissioned by NHS England.
Contact: Nicola Hassall
Address: Ground Floor, Springfield, Royal Stoke, Newcastle Road, ST4 6QG
Phone Number 01782 676625
The type of personal information we collect is in relation to the FPPT for board members and is described below, much of which is already collected and processed for other purposes than the FPPT:
- Name and position title
- Employment history – this includes details of all job titles, organisations, departments, dates, and role descriptions
- Job description and person specification in previous role
- Date of medical clearance
- Record of training and development in application/CV
- Training and development in the last year
- Appraisal, incorporating the completion of Leadership Competency Framework
- Record of any upheld, ongoing or discontinued disciplinary, complaint, grievance, adverse employee behaviour or whistleblowing findings
- DBS status
- Registration/revalidation status (where required)
- Insolvency check
- A search of the Companies House register to ensure that no board member is disqualified as a Director
- A search of the Charity Commission’s register of removed Trustees
- A check with the CQC, NHS England and relevant professional bodies where appropriate
- Social media check
- Employment tribunal judgement check
- Exit reference completed (where applicable)
- Annual self-attestation signed, including confirmation (as appropriate) that there have been no changes
Processing of this data is necessary on the lawful basis set out in Article 6(1)(e) UK GDPR as the foundation for the database. This is because it relates to the processing of personal data which is necessary for the performance of the FPPT which is carried out in the public interest and/or in the exercise of official authority vested in the controller.
For Care Quality Commission (CQC) registered providers, ensuring directors are fit and proper is a legal requirement for the purposes of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, and organisations are required to make information available connected with compliance to the CQC.
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you as part of your application form and recruitment to satisfy recruitment checks and the FPPT requirements. We may also receive personal information indirectly, from the following sources in the following scenarios:
- References when we have made a conditional offer to you
- Publicly accessible registers and websites for our FPPT
- Professional bodies for FPPT to test registration and or any other ‘fitness’ matters shared between organisations
- Regulatory bodies, eg CQC and NHS England
We use the information that you have given us to:
- conclude whether or not you are fit and proper to carry out the role of board director
- inform the regulators of our assessment outcome.
We may share this information with NHS England, CQC, future employers (particularly where they themselves are subject to the FPP requirements), and professional bodies.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
- We need it to perform a public task.
How we store your personal information
Your information is securely stored. We keep the ESR FPPT information including the board member reference, for a career long period. We will then dispose of your information in accordance with our policies and procedures regarding retention periods as set out in Policy DSP16 Information Lifecycle & Records Management and the Records Management: NHS Code of Practice.
Your data protection rights
Under data protection law, you have rights including:
- Your right of access – You have the right to ask us for copies of your personal information
- Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances
- Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances
- You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you
Please contact DSPUHNM@uhnm.nhs.uk
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at DPOUHNM@uhnm.nhs.uk You can also complain to the Information Commissioner’s Officer (ICO) if you are unhappy with how we have used your data.
The ICO’s address
Information Commissioner’s Office
Helpline number: 0303 123 1113 ICO website: https://www.ico.org.uk
Cookies are text files containing small amounts of information that some websites leave on your computer. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow websites to recognise a user's device, let users navigate between pages efficiently, remember user's preferences, and generally improve the user experience.
By using this website, you consent to the processing of data by UHS in the manner and for the purposes set out above. You can find out more information about cookies at www.allaboutcookies.org.
Page version Control - v1 - 07/09/23
Your duty to inform us of changes
It is important that you keep us updated of any changes to your personal information to ensure that all the information we hold is accurate and current.