Your Staff Information

Your Staff/Volunteer/Veteran Information (Privacy Policy)

This privacy notice tells you about information we obtain, hold and use about you.  It describes what we do with it, how we will look after it and who we share it with.  It covers information we collect directly from you as well as information we may get from other individuals or organisations.

This notice does not provide exhaustive detail.  However, we keep and maintain accurate and detailed records about how your information is used.  We can provide further detail and explanation outside of this information should it be requested and without charge.  Contact details can be found at the end of this page.

Occupational Health

Occupational health records are not part of the main staff/volunteer records and for reasons of confidentiality they are held separately and confidentially by Sherwood Forest Hospitals NHS Foundation Trust Occupational Health.  We will always ask for your consent before sharing any part of your Occupational Health record and they will not be shared or used for any other purpose without your consent. Occupational Health records will be retained and destroyed in line with the Records Management Code of Practice 2020 (dependent on any COSHH health surveillance required during employment).

Our Occupational Health service is continuing to experience a significant increase in demand for our services since the onset of the COVID-19 pandemic.

As a result, it has been agreed that Occupational Health will work in Partnership with the Occupational Health provider TP Health and Nottingham University Hospitals NHS Trust Occupational Health department to help increase capacity for Manager Referral appointments at the Trust.

If it is necessary to ask your GP or other treating clinician for further information about your health your specific consent will be sought.

As well as paper records, Occupational Health information is stored on an electronic data base called OPAS

Access to NHS Staff COVID-19 Test Results

Tests are entirely voluntary.  You may be invited to get tested, but there is no compulsion to be tested.  You may test positive or negative.  You may need to take further action following your result such as self-isolation or returning/continuing to work.  Employers can ask staff if they have been tested (and if so the result of the test).  You do not have to disclose the result, unless this impacts on your working ability (e.g. if you need to self-isolate the employer will need to make plans to manage your absence).  If there is a possibility coronavirus was contracted in the workplace it would require the employer to report this to the Health and Safety Executive (as part of the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 1995)).

Flu vaccines and the COVID-19 response

On average, flu kills over 11,000 people each year – some years this number is much higher – and it hospitalises many more. This is anything but a typical year due to the potential impact of flu and COVID-19 circulating at the same time. 

This year, as well as GP practices inviting key eligible groups to receive their vaccination, reminders have gone out nationally to supplement this.

This guidance describes how data is being used to help ensure that those who are entitled to a flu vaccine receive one. This includes data relating to both health and care staff and patients.

Please note information about flu vaccines received by NHS staff in any health setting will be collected by NHS England. In addition, information from your Electronic Staff Record (ESR) will be collected so that it can be matched with any flu vaccination record, for example, if you received a vaccine from your GP or community pharmacist. This will ensure the NHS holds an accurate update of your vaccination status which will support the purposes of the national vaccination programme and also ensure your GP practice is aware of your vaccination status.

COVID-19 Vaccination Data

Data on vaccination status is being collated, used and processed for the purposes of delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID, including the provision of information, fit notes and the provision of healthcare and social care services.

Vaccination status data is ‘health’ information and will be kept confidential, with access to it strictly controlled. It is also ‘special category’ data for the purposes of data protection legislation (the UK GDPR), which means that it must be used fairly, lawfully, supported by good reasons, and in compliance with other specific obligations under data protection law.

We shall collate and hold information on an individual’s vaccination status securely and in compliance with our obligations under the UK General Data Protection Regulation, the Data Protection Act 2018, COPI and all other data protection legislation.   The UK General Data Protection Regulations (UK GDPR) allows health data to be used as long as one or more of the conditions under articles 6 and 9 are met. There are conditions under both articles that can be relied on for the sharing of health and care data, including ‘the care and treatment of patients’ and ‘public health’. 

Smartcard users and the use of personal data

In Public Key Infrastructure (PKI) terms there is a single Registration Authority (that is, NHS Digital).  All organisations that run a local Registration Authority (RA) do so on a delegated authority basis from NHS Digital.

The Trust’s local RA function carries out identity checks of an applicant(s) to create their national verified digital identity.  Smartcards (secure tokens) are then issued to users utilising strong two factor authentication.  Appropriate access permissions are assigned to the professional’s user profile. 

How we monitor unauthorised access

The FairWarning® patient privacy monitoring system detects potential instances of unauthorised access to patient information held within GE PACS, CRIS and Orion. Through the FairWarning® system we are able to identify and investigate instances of unauthorised access to patient information.

FairWarning® allows us to:

  • Detect potentially unauthorised access to patient information;
  • Highlight unusual or suspicious activity for further investigation;
  • Enable investigation of access to specific patients’ records; and
  • Enable investigation of access made by specific members of staff.

All activity, including patient searches and demographic look-ups, is monitored by FairWarning® and staff are reminded to only access the records of patients in which they have a legitimate interest.

Unauthorised access includes:

  • Accessing the records of colleagues, friends, your children, other family members or neighbours. This access may be malicious and / or simple curiosity. It may even be at the request of the individual;
  • Accessing your own record;
  • Accessing the records of people of media interest.

Where unauthorised access is identified this will be investigated and if proven could result in serious disciplinary action being taken and possibly a referral to the GMC for medical staff.

Should you require further information on FairWarning®, please contact information governance

Human Resources (HR) and Payroll Services

Relevant details about you will be provided to Capita HR Services who provide payroll services to the Trust.  This will include your name, bank details, address, and date of birth, National Insurance Number.

For efficient communication, we will utilise the email address stored in your Electronic Staff Record (ESR) to ensure consistency, as some individuals may use personal email addresses.  This will include official messages from our Communications Team and Declaration of Interests administrator.  Please find details of our Declaration of Interests available here

Cabinet Office’s National Fraud Initiative

We are required by law to protect the public funds we administer.  We may share information provided to us with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.  The Cabinet Office appoints the auditor to audit our accounts and is also responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how they match.  This is usually personal information.  Computerised data matching allows potentially fraudulent claims and payments to be identified.  Where a match is identified it may indicate that there is an inconsistency which requires further investigation.  No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud.  We are required to provide particular sets of data to the Minister for Cabinet Office for matching for each exercise, as detailed here

Your personal information may be shared internally and with other agencies such as the Cabinet Office, and may be used in data matching exercises, for the prevention and detection of crime.  Your payroll details will be used by the organisation for cost evaluation and control purposes, including reporting to relevant managers.  We will also provide your details as required to ensure compliance with statutory requirements and relevant legislation, for example to Her Majesty’s Revenue and Customs (HMRC).

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.  It does not require the consent of the individuals concerned under the Data Protection Act 2018.  Data matching by the Cabinet Office is subject to a Code of Practice.

All our suppliers’ data may be submitted to the National Fraud Initiative on a regular basis.  This use of data is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.  You can read further information about the national fraud initiative here.


The Community Involvement Team will carry out regular reviews and well-being checks on all volunteers, to ensure you are well and settled in your current volunteer role.

Work experience and Volunteering

Personal data may be collected from you via the work experience or volunteering process.  The information that we collect about you may include details such as name, address, telephone, email, date of birth and next of kin/emergency contacts, references, personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your work experience placement, medical information relevant to your work experience placement, including physical and mental health.

Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can get access.

To process your application for your work experience placement and to enable us to meet our legal responsibilities as an employer, sometimes we will need to share your information with others.  We will not sell your information for any purpose and will not provide third parties with your information for the purpose of marketing or sales.

When you apply for a volunteer/work experience placement you will be asked to agree to your personal data being safely stored by Health Education England, East Midlands and its partner organisations and being used only in relation to your work experience placement and related projects.

Your information will be kept for the duration of the work experience/Volunteering placement and for 5 years following the end of your placement. 


We are proud to be working towards accreditation from the Veterans Covenant Healthcare Alliance (VCHA), where we will commit to a number of principles:

  • To be an employer who supports the Armed Forces Community by offering programmes such as ‘Step into Health’ to develop careers and to support health and wellbeing in the NHS.
  • To continue to promote the flexible working opportunities and roles available in the Trust to meet the needs of the individual and the Trust through existing Trust opportunities including the Veterans forum, Armed Forces Community Navigator, Reservists and ‘Step into Health’.
  • To ensure staff undertake training to raise awareness of the specific needs of the Armed Forces Community and requirements of the Armed Forces Covenant.
  • To continue to identify the Armed Forces Community at first point of contact and staff are able to signpost individuals to relevant services.

Further information is available here: Veteran’s and Armed Forces Care - Sherwood Forest Hospitals (

CCTV and Body Warn Video

Within the Trust premises CCTV cameras and Body Warn Video are used for the following purposes only:

  • To protect staff, patients and visitors
  • To protect Trust premises and assets
  • To increase personal safety and reduce the fear of crime.
  • To reduce incidents of violence and aggression to staff members
  • To support the Police in reducing and detecting crime
  • To assist in identifying, apprehending and prosecuting offenders
  • To provide a deterrent effect and reduce criminal activity.
  • To assist in the traffic management and car parking services, and Health & Safety.


We use email to provide newsletters and key updates regarding information about the trust or the Charity. And information/data on the voluntary services.


We will continue to hold some personal information about you as a volunteer member of Sherwood Forest Hospitals NHS Foundation Trust via a secured third-party online database run by Civica.  This enables us to fulfil our legal requirement to maintain a membership of the Trust, ensure this membership is representative of the people we serve, and run elections for Trust Governors.

This also means you will continue to receive our membership newsletter and occasional updates.  The data that we hold about you, as a member, is kept securely and only used in relation to your membership of the Trust.  To make sure the data we hold about you is up-to-date, please do let us know if you have changed address, your name or your contact details.  You can do this by emailing or calling 01623 672294.
If you no longer wish to be a Trust member and do not wish to receive any further updates from us, then please email your name and address to, with a message saying you wish to unsubscribe.  You can also call 01623 672294.

If you wish to know more about Civica’s Privacy Policy please visit their website here.

Step Into Health

The Step into Health programme supports employers and volunteers in the NHS to recruit from the Armed Forces community (e.g. service leavers, spouses, dependents) by providing tailored access routes to employment and training opportunities. As part of this work the team at NHS Employers provides tools, guidance and support to NHS organisations so they can engage with the Armed Forces community and therefore have a more representative workforce. By employing across diverse groups, the NHS can seek to address its workforce supply issues and improve patient care as well as the overall performance of its workforce.

For more information access their privacy notice here

People who contact us via social media

We use a third-party provider, Tweetdeck to manage our social media interactions.

If you send us a private or direct message via social media the message will be stored by Tweetdeck for three months.  It will not be shared with any other organisations.   For more information, please see Tweetdeck privacy notice.  

If you use your mobile phone to take photographs and publish them on social media channels you will have to ensure you have written consent from the public and staff to prove everyone actively gave their consent.  You are free to use our consent forms here (internal link).

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information.

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

How can I see the information you hold about me?

You have the ‘right of access’ to information we hold about you.  Our policy is here, our procedure is here

Please email or write to:

Information Governance Department

Sherwood Forest Hospitals NHS Foundation Trust

King's Mill Hospital

Mansfield Road

Sutton in Ashfield


NG17 4JL

What can I expect if I have rights under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland)?

Under equality law we have a duty to make sure that our services are accessible to all service users.  You can request a response in a particular format that is accessible to you, such as Braille, large print, email or audio format.

If you think that we have failed to make a reasonable adjustment, you can make a claim under the Equality Act (or Disability Discrimination Act in Northern Ireland).

Further advice is available from:

Can we withhold any information?

Yes.  There are some circumstances where the information you have asked for contains information that relates to another person.  Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, we are entitled to withhold this information.

The Act covers personal information that:

  • is held, or going to be held on computer;
  • is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved;
  • is in most employment, health, educational, social service or housing records; or
  • is other information held by a public authority?

What can I do if I believe we have not sent all the information to which I am entitled?

If you feel we have withheld some of your personal information, we recommend you contact us with your concern.  Make sure you state the information you think is being withheld.

If you have contacted us and still believe some of your personal information is being withheld, please contact the Information Commissioner’s Office via their live chat service or call their helpline on 0303 123 1113.

Changes to this privacy notice

We keep our privacy notice under regular review.  This privacy notice was last updated on 6th September 2023.

Data Protection Officer

Jacquie Widdowson, Head of Data Security and Privacy,, 01623 435425.

Our ICO registration number is Z4885823.  Further information on the Data Protection Act 2018 can be found here

How to contact us

If you want to request information about our privacy policy you can email us:

Or write to:

Information Governance Department

Sherwood Forest Hospitals NHS Foundation Trust

King's Mill Hospital

Mansfield Road

Sutton in Ashfield


NG17 4JL