Your Staff Information

Your Staff Information (Privacy Policy)

This privacy notice tells you about information we obtain, hold and use about you.  It describes what we do with it, how we will look after it and who we share it with.  It covers information we collect directly from you as well as information we may get from other individuals or organisations.

This notice does not provide exhaustive detail.  However, we keep and maintain accurate and detailed records about how your information is used.  We can provide further detail and explanation outside of this information should it be requested and without charge.  Contact details can be found at the end of this page.

Occupational Health

Occupational health records are not part of the main staff record and for reasons of confidentiality they are held separately and confidentially by Sherwood Forest Hospitals NHS Foundation Trust Occupational Health.  We will always ask for your consent before sharing any part of your Occupational Health record and they will not be shared or used for any other purpose without your consent.   Occupational Health records will be retained and destroyed in line with the Records Management Code of Practice 2020 (dependent on any COSHH health surveillance required during employment).

Our Occupational Health service is continuing to experience a significant increase in demand for our services since the onset of the COVID-19 pandemic.

As a result, it has been agreed that Occupational Health will work in Partnership with the Occupational Health provider TP Health and Nottingham University Hospitals NHS Trust Occupational Health department to help increase capacity for Manager Referral appointments at the Trust.

Going forward, Manager Referrals may therefore be forwarded to Team Prevent for processing.  A copy of the TP Health Privacy Statement can be accessed here.  A copy of Nottingham University Hospitals NHS Trust privacy notice is here. 

If it is necessary to ask your GP or other treating clinician for further information about your health your specific consent will be sought.

As well as paper records, Occupational Health information is stored on an electronic data base called OPAS

Access to NHS Staff COVID-19 Test Results

Tests are entirely voluntary.  You may be invited to get tested, but there is no compulsion to be tested.  You may test positive or negative.  You may need to take further action following your result such as self-isolation or returning/continuing to work.  Employers can ask staff if they have been tested (and if so the result of the test).  You do not have to disclose the result, unless this impacts on your working ability (e.g. if you need to self-isolate the employer will need to make plans to manage your absence).  If there is a possibility coronavirus was contracted in the workplace it would require the employer to report this to the Health and Safety Executive (as part of the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 1995)).

Flu vaccines and the COVID-19 response

On average, flu kills over 11,000 people each year – some years this number is much higher – and it hospitalises many more. This is anything but a typical year due to the potential impact of flu and COVID-19 circulating at the same time. 

This year, as well as GP practices inviting key eligible groups to receive their vaccination, reminders have gone out nationally to supplement this.

This guidance describes how data is being used to help ensure that those who are entitled to a flu vaccine receive one. This includes data relating to both health and care staff and patients.

Please note information about flu vaccines received by NHS staff in any health setting will be collected by NHS England and Improvement. In addition, information from your Electronic Staff Record (ESR) will be collected so that it can be matched with any flu vaccination record, for example, if you received a vaccine from your GP or community pharmacist. This will ensure the NHS holds an accurate update of your vaccination status which will support the purposes of the national vaccination programme and also ensure your GP practice is aware of your vaccination status.

COVID-19 Vaccination Data

Data on vaccination status is being collated, used and processed for the purposes of delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID, including the provision of information, fit notes and the provision of healthcare and social care services.

Vaccination status data is ‘health’ information and will be kept confidential, with access to it strictly controlled. It is also ‘special category’ data for the purposes of data protection legislation (the UK GDPR), which means that it must be used fairly, lawfully, supported by good reasons, and in compliance with other specific obligations under data protection law.

We shall collate and hold information on an individual’s vaccination status securely and in compliance with our obligations under the UK General Data Protection Regulation, the Data Protection Act 2018, COPI and all other data protection legislation.   The UK General Data Protection Regulations (UK GDPR) allows health data to be used as long as one or more of the conditions under articles 6 and 9 are met. There are conditions under both articles that can be relied on for the sharing of health and care data, including ‘the care and treatment of patients’ and ‘public health’.  

Smartcard users and the use of personal data

In Public Key Infrastructure (PKI) terms there is a single Registration Authority (that is, NHS Digital).  All organisations that run a local Registration Authority (RA) do so on a delegated authority basis from NHS Digital.

The Trust’s local RA function carries out identity checks of an applicant(s) to create their national verified digital identity.  Smartcards (secure tokens) are then issued to users utilising strong two factor authentication.  Appropriate access permissions are assigned to the professional’s user profile.  Further information is here. 

How we monitor unauthorised access

The FairWarning® patient privacy monitoring system detects potential instances of unauthorised access to patient information held within GE PACS, CRIS and Orion. Through the FairWarning® system we are able to identify and investigate instances of unauthorised access to patient information.

FairWarning® allows us to:

  • Detect potentially unauthorised access to patient information;
  • Highlight unusual or suspicious activity for further investigation;
  • Enable investigation of access to specific patients’ records; and
  • Enable investigation of access made by specific members of staff.

All activity, including patient searches and demographic look-ups, is monitored by FairWarning® and staff are reminded to only access the records of patients in which they have a legitimate interest.

Unauthorised access includes:

  • Accessing the records of colleagues, friends, your children, other family members or neighbours. This access may be malicious and / or simple curiosity. It may even be at the request of the individual;
  • Accessing your own record;
  • Accessing the records of people of media interest.

Where unauthorised access is identified this will be investigated and if proven could result in serious disciplinary action being taken and possibly a referral to the GMC for medical staff.

Should you require further information on FairWarning®, please contact information governance

Capita Human Resources (HR) and Payroll Services

Relevant details about you will be provided to Capita HR Services who provide payroll services to the Trust.  This will include your name, bank details, address, and date of birth, National Insurance Number and salary.  Here is a link to their Privacy Notice

Your payroll details will be used by the Trust for cost evaluation and control purposes, including reporting to relevant managers.  We will also provide your details as required to ensure compliance with relevant legislation, for example to Her Majesty’s Revenue and Customs (HMRC).  Here is a link to their Privacy Notice

Giltbyte uses the information we collect to operate, maintain and provide you with the features and functionality of the EASY suite of programs which includes the EASY Companion app, known as the EASY system.  Here is a link to their Privacy Notice


Likewise, your details will be provided to MyCSP who are the administrators of the Civil Service Pension Scheme, of which the Trust is a member organisation.  You will be auto-enrolled into the pension scheme and details provided to MyCSP will be your name, date of birth, National Insurance number and salary.  Your bank details will not be passed to MyCSP at this time.  Here is a link to their Privacy Notice.

Cabinet Office’s National Fraud Initiative

We are required by law to protect the public funds we administer.  We may share information provided to us with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.  The Cabinet Office appoints the auditor to audit our accounts, and is also responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how they match.  This is usually personal information.  Computerised data matching allows potentially fraudulent claims and payments to be identified.  Where a match is identified it may indicate that there is an inconsistency which requires further investigation.  No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud.  We are required to provide particular sets of data to the Minister for Cabinet Office for matching for each exercise, as detailed here

Your personal information may be shared internally and with other agencies such as the Cabinet Office, and may be used in data matching exercises, for the prevention and detection of crime.  Your payroll details will be used by the organisation for cost evaluation and control purposes, including reporting to relevant managers.  We will also provide your details as required to ensure compliance with statutory requirements and relevant legislation, for example to Her Majesty’s Revenue and Customs (HMRC).

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.  It does not require the consent of the individuals concerned under the Data Protection Act 2018.  Data matching by the Cabinet Office is subject to a Code of Practice.

All our suppliers’ data may be submitted to the National Fraud Initiative on a regular basis.  This use of data is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.  You can read further information about the national fraud initiative here.


For Agenda for Change staff at Bands 8a and above, and Consultant Leaders, we will use your appraisal talent conversation information to populate the Trust’s talent succession map.   This will be reviewed by the Talent Review Board. 

Work experience

Personal data may be collected from you via the work experience process.  The information that we collect about you may include details such as name, address, telephone, email, date of birth and next of kin/emergency contacts, references, personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your work experience placement, medical information relevant to your work experience placement, including physical and mental health.

Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can get access.

To process your application for your work experience placement and to enable us to meet our legal responsibilities as an employer, sometimes we will need to share your information with others.  We will not sell your information for any purpose, and will not provide third parties with your information for the purpose of marketing or sales.

When you apply for a work experience placement you will be asked to agree to your personal data being safely stored by Health Education England, East Midlands and its partner organisations and being used only in relation to your work experience placement and related projects.

Your information will be kept for the duration of the work experience placement and for 6 years following the end of your placement.  Here is a link to their Privacy Notice.


Security cameras are installed at various locations at our sites to prevent and detect crime, and for the protection of staff, visitors and patients and their property.


We use a third party provider, MailChimp, to deliver our monthly e-newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see MailChimp privacy notice.


We will continue to hold some personal information about you as a staff member of Sherwood Forest Hospitals NHS Foundation Trust via a secured third party online database run by Civica.  This enables us to fulfil our legal requirement to maintain a membership of the Trust, ensure this membership is representative of the people we serve, and run elections for Trust Governors.

This also means you will continue to receive our membership newsletter and occasional updates.  The data that we hold about you, as a member, is kept securely and only used in relation to your membership of the Trust.  To make sure the data we hold about you is up-to-date, please do let us know if you have changed address, your name or your contact details.  You can do this by emailing or calling 01623 672294.
If you no longer wish to be a Trust member and do not wish to receive any further updates from us, then please email your name and address to, with a message saying you wish to unsubscribe. You can also call 01623 672294.

If you wish to know more about Civica’s Privacy Policy please visit their website here.

People who contact us via social media

We use a third party provider, Tweetdeck to manage our social media interactions.

If you send us a private or direct message via social media the message will be stored by Tweetdeck for three months.  It will not be shared with any other organisations.   For more information, please see Tweetdeck privacy notice.  

If you use your mobile phone to take photographs and publish them on social media channels you will have to ensure you have written consent from the public and staff to prove everyone actively gave their consent.  You are free to use our consent forms here (internal link).

How long do you keep my staff records?

There are national records management standards in the NHS for how long we need to keep information about you.  This varies depending on the type of information. Further information is available here.

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information.

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

How can I see the information you hold about me?

You have the ‘right of access’ to information we hold about you.  Our policy is here, our procedure is here

Please email or write to:

Information Governance Department

Sherwood Forest Hospitals NHS Foundation Trust

King's Mill Hospital

Mansfield Road

Sutton in Ashfield


NG17 4JL

What can I expect if I have rights under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland)?

Under equality law we have a duty to make sure that our services are accessible to all service users.  You can request a response in a particular format that is accessible to you, such as Braille, large print, email or audio format.

If you think that we have failed to make a reasonable adjustment, you can make a claim under the Equality Act (or Disability Discrimination Act in Northern Ireland).

Further advice is available from:

Can we withhold any information?

Yes.  There are some circumstances where the information you have asked for contains information that relates to another person.  Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, we are entitled to withhold this information.

The Act covers personal information that:

  • is held, or going to be held on computer;
  • is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved;
  • is in most employment, health, educational, social service or housing records; or
  • is other information held by a public authority?

What can I do if I believe we have not sent all the information I am entitled to?

If you feel we have withheld some of your personal information, we recommend you contact us with your concern.  Make sure you state the information you think is being withheld.

If you have contacted us and still believe some of your personal information is being withheld, please contact the Information Commissioner’s Office via their live chat service or call their helpline on 0303 123 1113.

Changes to this privacy notice

We keep our privacy notice under regular review.  This privacy notice was last updated on 23rd December 2021.

Data Protection Officer

Jacquie Widdowson, Information Governance Manager,, 01623 435425.

Our ICO registration number is Z4885823.  Further information on the Data Protection Act 2018 can be found here

How to contact us

If you want to request information about our privacy policy you can email us:

Or write to:

Information Governance Department

Sherwood Forest Hospitals NHS Foundation Trust

King's Mill Hospital

Mansfield Road

Sutton in Ashfield


NG17 4JL