Your Staff Information


Your Staff/Volunteer Information (Privacy Policy)

This privacy notice tells you about information we obtain, hold, and use about you.  It describes what we do with it, how we will look after it and who we share it with.  It covers information we collect directly from you as well as information we may get from other individuals or organisations.

This notice does not provide exhaustive detail.  However, we keep and maintain accurate and detailed records about how your information is used.  We can provide further detail and explanation outside of this information should it be requested and without charge.  Contact details can be found at the end of this page.

Occupational Health

Occupational health records are not part of the main staff/volunteer records and for reasons of confidentiality they are held separately and confidentially by Sherwood Forest Hospitals NHS Foundation Trust Occupational Health.  We will always ask for your consent before sharing any part of your Occupational Health record and they will not be shared or used for any other purpose without your consent. Occupational Health records will be retained and destroyed in line with the Records Management Code of Practice 2020 (dependent on any COSHH health surveillance required during employment).

Our Occupational Health service is continuing to experience a significant increase in demand for our services since the onset of the COVID-19 pandemic.

As a result, it has been agreed that Occupational Health will work in Partnership with the Occupational Health provider TP Health and Nottingham University Hospitals NHS Trust Occupational Health department to help increase capacity for Manager Referral appointments at the Trust.

If it is necessary to ask your GP or other treating clinician for further information about your health your specific consent will be sought.

As well as paper records, Occupational Health information is stored on an electronic data base called OPAS http://www.warwickicsystems.com/privacy-and-cookie-policy/

Access to NHS Staff COVID-19 Test Results

Tests are entirely voluntary.  You may be invited to get tested, but there is no compulsion to be tested.  You may test positive or negative.  You may need to take further action following your result such as self-isolation or returning/continuing to work.  Employers can ask staff if they have been tested (and if so the result of the test).  You do not have to disclose the result, unless this impacts on your working ability (e.g. if you need to self-isolate the employer will need to make plans to manage your absence).  If there is a possibility coronavirus was contracted in the workplace it would require the employer to report this to the Health and Safety Executive (as part of the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 1995)).

Flu vaccines and the COVID-19 response

On average, flu kills over 11,000 people each year – some years this number is much higher – and it hospitalises many more. This is anything but a typical year due to the potential impact of flu and COVID-19 circulating at the same time. 

This year, as well as GP practices inviting key eligible groups to receive their vaccination, reminders have gone out nationally to supplement this.

This guidance describes how data is being used to help ensure that those who are entitled to a flu vaccine receive one. This includes data relating to both health and care staff and patients.

Please note information about flu vaccines received by NHS staff in any health setting will be collected by NHS England. In addition, information from your Electronic Staff Record (ESR) will be collected so that it can be matched with any flu vaccination record, for example, if you received a vaccine from your GP or community pharmacist. This will ensure the NHS holds an accurate update of your vaccination status which will support the purposes of the national vaccination programme and ensure your GP practice is aware of your vaccination status.

COVID-19 Vaccination Data

Data on vaccination status is being collated, used, and processed for the purposes of delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID, including the provision of information, fit notes, and the provision of healthcare and social care services.

Vaccination status data is ‘health’ information and will be kept confidential, with access to it strictly controlled. It is also ‘special category’ data for the purposes of data protection legislation (the UK GDPR), which means that it must be used fairly, lawfully, supported by good reasons, and in compliance with other specific obligations under data protection law.

We shall collate and hold information on an individual’s vaccination status securely and in compliance with our obligations under the UK General Data Protection Regulation, the Data Protection Act 2018, COPI and all other data protection legislation.   The UK General Data Protection Regulations (UK GDPR) allows health data to be used as long as one or more of the conditions under articles 6 and 9 are met. There are conditions under both articles that can be relied on for the sharing of health and care data, including ‘the care and treatment of patients’ and ‘public health’. 

Smartcard users and the use of personal data

In Public Key Infrastructure (PKI) terms there is a single Registration Authority (that is, NHS Digital).  All organisations that run a local Registration Authority (RA) do so on a delegated authority basis from NHS Digital.

The Trust’s local RA function carries out identity checks of an applicant(s) to create their national verified digital identity.  Smartcards (secure tokens) are then issued to users utilising strong two factor authentication.  Appropriate access permissions are assigned to the professional’s user profile. 

How we monitor unauthorised access

The FairWarning® patient privacy monitoring system detects potential instances of unauthorised access to patient information held within some of our digital systems. Through the FairWarning® system we can identify and investigate instances of unauthorised access to patient information.

FairWarning® allows us to:

  • Detect potentially unauthorised access to patient information.
  • Highlight unusual or suspicious activity for further investigation.
  • Enable investigation of access to specific patients’ records; and
  • Enable investigation of access made by specific members of staff.

All activity, including patient searches and demographic lookups, is monitored by FairWarning® and staff are reminded to only access the records of patients in which they have a legitimate interest.

Unauthorised access includes:

  • Accessing the records of colleagues, friends, your children, other family members or neighbours. This access may be malicious and / or simple curiosity. It may even be at the request of the individual.
  • Accessing your own record.
  • Accessing the records of people of media interest.

Where unauthorised access is identified this will be investigated and if proven could result in serious disciplinary action being taken and possibly a referral to the GMC for medical staff.

Should you require further information on FairWarning®, please contact information governance sfh-tr.information.governance@nhs.net.

Human Resources (HR) and Payroll Services

Relevant details about you will be provided to Capita HR Services who provide payroll services to the Trust.  This will include your name, bank details, address, and date of birth, National Insurance Number.

For efficient communication, we will utilise the email address stored in your Electronic Staff Record (ESR) to ensure consistency, as some individuals may use personal email addresses.  This will include official messages from our Communications Team and Declaration of Interests administrator.  Please find details of our Declaration of Interests available here

Digital Staff Passport

Where we are your current employer, we are the controller for your information. A controller decides on why and how information is used and shared.

Where we are your ‘new’ or future employer, we will become the controller of any records created using your Digital Staff Passport.

How do we get information and why do we have it?

The personal information we collect is provided directly from you for one of the following reasons:

  • you have applied for a job with us or work for us, and
  • you have chosen to use the NHS Digital Staff Passport.

We also receive personal information about you indirectly from others, in the following scenarios:

  • from other health and care organisations you are employed with, through the Electronic Staff Record (ESR), to speed up pre-employment checks when you move between NHS organisations.

What information do we collect?

Personal information

We currently need the following personal information to provide your Digital Staff Passport:

  • basic personal details about you – your name, address, date of birth, email address and an ID photo of you
  • basic details relating to your work status – Disclosure and Barring Service (DBS) information, right to work information (residency/visa), your professional registration details (such as the General Medical Council, Nursing and Midwifery Council, General Dental Council or Health and Care Professions Council), your ESR assignment number
  • clinical training and qualification details, any other specific clinical skills, and any restrictions on your practice
  • basic details relating to your current employment – employing organisation, job role, staff group, department, start date, pay band, work email address, area of work, job title
  • details of any supporting evidence or document e.g. passport number, driving licence number

You can also choose to provide the following additional optional information:

  • maiden name or previous name
  • preferred pronouns
  • phone number
  • country of birth
  • next of kin or emergency contact details
  • marital status

More sensitive information

We need the following more sensitive data to provide your Digital Staff Passport:

  • limited healthcare information relating to your employment – specifically, occupational health clearance status

We process the following more sensitive data where you have chosen to provide it:

  • data revealing racial or ethnic origin
  • data concerning a person’s sexual orientation
  • data revealing religious or philosophical beliefs
  • immunisation, vaccine, and testing data in relation to tuberculosis (TB) and varicella (to be extended in the future)

Who do we share information with?

Information will be shared with NHS England, who will host the data, and who will also remove any identifiers (such as your name) to then use the data to analyse the service and for reporting purposes. NHS England data engineers may also be granted access to the data in limited circumstances, such as in the case of an investigation.

NHS England will also work with a carefully selected third party (Sitekit Ltd) to provide technical support for the Digital Staff Passport.

Sitekit will not routinely have access to your personal data. There may however be occasions where personal data is shared with Sitekit if technical support is needed.

Your information will also be shared with organisations, such as Yoti and Microsoft (through the Authenticator app), who will verify your identity to ensure that it is in fact you who is requesting access to your Digital Staff Passport.

Is information transferred outside the UK?

Some of your login data (specifically forename, surname, and email address) is securely stored on data servers in European countries covered by the EU General Data Protection Regulations.

What is our lawful basis for using information?

Personal information

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for using personal information are:

(c) We have a legal obligation - the Employment Rights Act 1996 sets out requirements for employers in relation to their employees. This includes keeping records of staff when working for them.

(e) We need it to perform a public task - See this list for the most likely laws that apply when using and sharing information in health and care. This legal basis applies to the information that is not subject to a legal obligation but is provided by you to support us as your employing organisation in the performance of our public task.

More sensitive data

Under UK GDPR, the lawful basis we rely on for using information that is more sensitive (special category):

(b) We need it for employment, social security, and social protection reasons (if authorised by law). See this list for the most likely laws that apply when using and sharing information in health and care.

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

  • you have provided us with your consent upon agreeing to the terms and conditions of the use of the Digital Staff Passport.

How do we store your personal information?

Your data will be stored by NHS England in the Microsoft Azure cloud. When you download your passport to your mobile device, your passport details will be held within the Microsoft Authenticator digital wallet app. Both storage locations have robust security measures in place to ensure your data is safe and secure.

Your data will be held for as long as your Digital Staff Passport is active. If you temporarily disable your passport, your data will be retained so that the process for reactivating your Digital Staff Passport is convenient for you. However, if you permanently delete your Digital Staff Passport account, your data will be deleted.

National data opt-out

  • we are not applying the national data opt-out because we are not using confidential patient information for planning or research purposes

Cabinet Office’s National Fraud Initiative

We are required by law to protect the public funds we administer.  We may share information provided to us with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.  The Cabinet Office appoints the auditor to audit our accounts and is also responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how they match.  This is usually personal information.  Computerised data matching allows potentially fraudulent claims and payments to be identified.  Where a match is identified it may indicate that there is an inconsistency which requires further investigation.  No assumption can be made as to whether there is fraud, error, or other explanation until an investigation is carried out.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud.  We are required to provide particular sets of data to the Minister for Cabinet Office for matching for each exercise, as detailed here

Your personal information may be shared internally and with other agencies such as the Cabinet Office, and may be used in data matching exercises, for the prevention and detection of crime.  Your payroll details will be used by the organisation for cost evaluation and control purposes, including reporting to relevant managers.  We will also provide your details as required to ensure compliance with statutory requirements and relevant legislation, for example to Her Majesty’s Revenue and Customs (HMRC).

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.  It does not require the consent of the individuals concerned under the Data Protection Act 2018.  Data matching by the Cabinet Office is subject to a Code of Practice.

All our suppliers’ data may be submitted to the National Fraud Initiative on a regular basis.  This use of data is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.  You can read further information about the national fraud initiative here.

Reviews

The Community Involvement Team will carry out regular reviews and well-being checks on all volunteers, to ensure you are well and settled in your current volunteer role.

Work experience and Volunteering

Personal data may be collected from you via the work experience or volunteering process.  The information that we collect about you may include details such as name, address, telephone, email, date of birth and next of kin/emergency contacts, references, personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your work experience placement, medical information relevant to your work experience placement, including physical and mental health.

Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can get access.

To process your application for your work experience placement and to enable us to meet our legal responsibilities as an employer, sometimes we will need to share your information with others.  We will not sell your information for any purpose and will not provide third parties with your information for the purpose of marketing or sales.

When you apply for a volunteer/work experience placement you will be asked to agree to your personal data being safely stored by Health Education England, East Midlands and its partner organisations and being used only in relation to your work experience placement and related projects.

Your information will be kept for the duration of the work experience/Volunteering placement and for 5 years following the end of your placement. 

Veteran's

We are proud to be working towards accreditation from the Veterans Covenant Healthcare Alliance (VCHA), where we will commit to several principles:

  • To be an employer who supports the Armed Forces Community by offering programmes such as ‘Step into Health’ to develop careers in the NHS.
  • To continue to promote the flexible working opportunities and roles available in the Trust to meet the needs of the individual and the Trust through existing Trust opportunities including the Veterans forum, Armed Forces Community Navigator, Reservists and ‘Step into Health’.
  • To ensure staff undertake training to raise awareness of the specific needs of the Armed Forces Community and requirements of the Armed Forces Covenant.
  • To continue to identify the Armed Forces Community at first point of contact and staff can signpost individuals to relevant services.

Further information is available here: Veteran’s and Armed Forces Care - Sherwood Forest Hospitals (sfh-tr.nhs.uk)

CCTV and Body Warn Video

Within the Trust premises CCTV cameras and Body Warn Video are used for the following purposes only:

  • To protect staff, patients, and visitors
  • To protect Trust premises and assets
  • To increase personal safety and reduce the fear of crime.
  • To reduce incidents of violence and aggression to staff members
  • To support the Police in reducing and detecting crime
  • To assist in identifying, apprehending, and prosecuting offenders
  • To provide a deterrent effect and reduce criminal activity.
  • To assist in the traffic management and car parking services, and Health & Safety.

E-newsletter

We use email to provide newsletters and key updates regarding information about the trust or the Charity. And information/data on the voluntary services.

Membership

We will continue to hold some personal information about you as a volunteer member of Sherwood Forest Hospitals NHS Foundation Trust via a secured third-party online database run by Civica.  This enables us to fulfil our legal requirement to maintain a membership of the Trust, ensure this membership is representative of the people we serve, and run elections for Trust Governors.

This also means you will continue to receive our membership newsletter and occasional updates.  The data that we hold about you, as a member, is kept securely and only used in relation to your membership of the Trust.  To make sure the data we hold about you is up to date, please do let us know if you have changed address, your name, or your contact details.  You can do this by emailing sfh-tr.communications@nhs.net or calling 01623 672294.
 
If you no longer wish to be a Trust member and do not wish to receive any further updates from us, then please email your name and address to sfh-tr.membership@nhs.net, with a message saying you wish to unsubscribe.  You can also call 01623 672294.

If you wish to know more about Civica’s Privacy Policy, please visit their website here.

Step Into Health

The Step into Health programme supports employers and volunteers in the NHS to recruit from the Armed Forces community (e.g. service leavers, spouses, dependents) by providing tailored access routes to employment and training opportunities. As part of this work the team at NHS Employers provides tools, guidance, and support to NHS organisations so they can engage with the Armed Forces community and therefore have a more representative workforce. By employing across diverse groups, the NHS can seek to address its workforce supply issues and improve patient care as well as the overall performance of its workforce.

For more information access their privacy notice here

People who contact us via social media

We use a third-party provider, Tweetdeck to manage our social media interactions.

If you send us a private or direct message via social media the message will be stored by Tweetdeck for three months.  It will not be shared with any other organisations.   For more information, please see Tweetdeck privacy notice.  

If you use your mobile phone to take photographs and publish them on social media channels you will have to ensure you have written consent from the public and staff to prove everyone actively gave their consent.  You are free to use our consent forms here (internal link).

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information.

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

How can I see the information you hold about me?

You have the ‘right of access’ to information we hold about you.  Our policy is here, our procedure is here

Please email sfh-tr.information.governance@nhs.net or write to:

Information Governance Department

Sherwood Forest Hospitals NHS Foundation Trust

King's Mill Hospital

Mansfield Road

Sutton in Ashfield

Nottinghamshire

NG17 4JL

What can I expect if I have rights under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland)?

Under equality law we have a duty to make sure that our services are accessible to all service users.  You can request a response in a particular format that is accessible to you, such as Braille, large print, email, or audio format.

If you think that we have failed to make a reasonable adjustment, you can make a claim under the Equality Act (or Disability Discrimination Act in Northern Ireland).

Further advice is available from:

Can we withhold any information?

Yes.  There are some circumstances where the information you have asked for contains information that relates to another person.  Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, we are entitled to withhold this information.

The Act covers personal information that:

  • is held or going to be held on computer.
  • is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved.
  • is in most employment, health, educational, social service, or housing records; or
  • is other information held by a public authority?

What can I do if I believe we have not sent all the information to which I am entitled?

If you feel we have withheld some of your personal information, we recommend you contact us with your concern.  Make sure you state the information you think is being withheld.

If you have contacted us and still believe some of your personal information is being withheld, please contact the Information Commissioner’s Office via their live chat service or call their helpline on 0303 123 1113.

Changes to this privacy notice

We keep our privacy notice under regular review.  This privacy notice was last updated on 22nd July 2024.

Data Protection Officer

Jacquie Widdowson, Head of Data Security and Privacy, jacquie.widdowson@nhs.net, 01623 435425.

Our ICO registration number is Z4885823.  Further information on the Data Protection Act 2018 can be found here

How to contact us

If you want to request information about our privacy policy, you can email us:

sfh-tr.information.governance@nhs.net

Or write to:

Information Governance Department

Sherwood Forest Hospitals NHS Foundation Trust

King's Mill Hospital

Mansfield Road

Sutton in Ashfield

Nottinghamshire

NG17 4JL