Privacy Notice

Personal Data: ‘Personal Data’ is information relating to a natural (living) person which can be used to identify the person, for example:

• Name
• Address
• Telephone number
• Employee number
• Gender
• National Insurance (NI) Number
• NHS Number

Sensitive personal data (Special Category): ‘Special Category’ data is information which is classed as more sensitive personal data, for example:

• Religious beliefs
• Ethnic Origin
• Sexual Orientation
• Criminal convictions
• Disabilities
• Trade Union Membership

Data controller: ‘Data controller’ means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.

Processing: ‘Processing’ includes the collection, recording, storage, use, disclosure or destruction of personal data.

A lot of the personal information provided to us comes directly from our patients. In certain circumstances, we may also receive personal data from:

• Health and social care professionals working with you such as GPs, support workers, social workers, hospices
• Ambulance Trusts
• Private healthcare providers
• Carers,relatives or next of kin in situations where you are incapable of communicating with us
• Local Authorities
• Law enforcement agencies
• CCTV images taken using our own CCTV systems

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – keep records about your health and any care and treatment you receive. Collectively, this is called your Health Record which may include:

• Basic details such as name, address, date of birth, phone number, and email address - where you have provided it to enable us to communicate with you by email
• Special Category Personal data such as:
  • Notes and reports about your physical or mental health and any treatment, care or support you need and receive;
  • Results of your tests and diagnosis;
  • Relevant information from other professionals, relatives or those who care for you or know you well;
  • Ethnicity, religion and, where appropriate, genetic/biometric information and sexual orientation;
  • Details of any contact you have with us such as home visits or outpatient appointments;
  • Information on medicines, side effects and allergies.
  • Clinical photographs for clinical imaging
• We may also record CCTV images in public areas as part of the Trust's security arrangements and for criminal prevention.
• Other personal information such as your next of kin and their contact details, patient experience feedback and treatment outcome information you provide.
• Most of your records are electronic and are held on a computer system and a secure IT network. New models of service delivery are being implemented, with closer working with GPs and other healthcare and social care providers. To assist this, the use of other electronic patient record systems to share your information will be implemented.

It is essential that the personal data that the Trust holds about you is accurate and kept up to date. You should inform the hospital as soon as possible of any changes to your contact details, including Name, Address, Telephone and Mobile numbers, Email Address and GP provider. You can do this by speaking to the team at any reception within the hospital or contacting either of the teams below:

Access team: ngh-tr.mraccess@nhs.net

Data Quality Team: ngh-tr.data.quality@nhs.net

We process personal data to enable us to provide healthcare services to our patients; carry out research; maintain our accounts and records; the use of CCTV systems for crime prevention; and data matching under the national fraud initiative. Records about you are used by those caring for you to:

• Provide a good basis for all healthcare decisions by you and healthcare professionals
• Enable you to work in partnership with those providing your care
• Enable us keep all details of our contact with you, such as referrals and appointments and services you have received
• Make sure the care we provide is safe and effective
• Work effectively with others providing you with care
• Remind you about appointments using 3rd party processors.
• Enable investigations if you and your family have a concern or a complaint about your healthcare
• Facilitate you providing feedback on your experience to the Trust. You can opt out from this process either for a particular hospital attendance or permanently by informing a member of Trust staff who will advise the Information Department to remove your consent.

Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:

• Move to another area
• Need to use another service
• See a different healthcare professional.

Others within the Trust, the NHS and other government bodies may also need to use records about you to:

• Assess the quality of care we give you (called clinical audit)
• Protect the health of the general public
• Keep track of NHS spending
• Manage the health services we provide
• Help us to plan new services
• Help investigate untoward incidents, complaints or legal claims
• Prevent fraud
• Teach healthcare staff
• Help with research

If we need to use information that identifies you for purposes other than your direct care (or to check the quality of that care), we will always seek your consent beforehand.

Everyone working for the NHS has a legal duty to maintain the highest levels of confidentiality, and all NGH staff receive training on how to handle your information securely.

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in a hardcopy or electronic format. All paper files are kept in secure locked cabinets/cupboards and only relevant staff will have access to this information.

We ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if the third party agrees to comply with those procedures and policies, or if it puts in place adequate measures.

All employees and our partner organisations are legally bound to respect your confidentiality, all staff must comply with our security operating procedures. Any breach of these procedures is treated seriously, and could result in disciplinary action, including dismissal.

If any of your personal information is to be processed overseas (i.e. outside the EU) a full risk assessment would be undertaken to ensure the security of the information.

We will process your personal information only when we are permitted to do so by law. We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as when:

• processing is necessary in order to protect the vital interests of the data subject or of another natural person
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• processing is necessary for medical purposes

Please be aware that we do not normally use consent as a legal basis for processing your personal information under UK GDPR. This is different to consent to treatment. This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘NO’ to our use of your information, but this could have an impact on our ability to provide you with care.

Information sharing for purposes of direct care

We may need to share your information with trusted organisations when they are caring for you and are providing you with treatment. This includes outside agencies, such as social services, public service authorities and private healthcare organisations in addition to other NHS organisations.

Please note the circumstances below when we may share your information with these organisations:

• To ensure the provision of your direct care
• To ensure the provision of the most appropriate treatment and support for you and your carers
• Sharing your information via the Northamptonshire Care Record (NCR) to enable effective collaboration with other professionals who are directly involved in your care
• To deliver services relating to your direct care e.g. processing of blood tests
• For research, statistical and data analysis to give us insight on how we may improve the services we provide (please note that we will ask your explicit consent when processing your identifiable data for research purposes)
• For conducting patient surveys to support care improvements facilitated by the Trust
• To help us monitor and evaluate performance to develop the services we provide
• To meet our NHS contract obligations

We have processes in place to ensure that we do not share excessive information with any organisations. We only share information that is relevant, necessary, and adequate to the care you are receiving at any given time

We have relevant assurances in place to ensure that third-party organisations will not disclose your information without explicit written consent of the Trust, and this will only be provided if it is necessary to do so for the provision of your care.

The third-party organisations with whom we share your information for the purposes of your direct care include:

• Northamptonshire Health and Care Partnership – key health and care providers in the county working in partnership to improve health and care for people living in Northamptonshire
• Other partnerships working together to provide health and care for you such as, The East Midlands Radiology services (EMRAD) and National Pathology Exchange (NPEx)
• GPs
• Independent Contractors such as dentists, opticians, pharmacists, medical concierges
• Private Sector Healthcare Providers
• Charities and other Voluntary Sector Providers such as Hospices
• Ambulance Trusts
• Clinical Commissioning Groups
• Social Care Services
• NHS England (NHSE) and NHS Digital (NHSD)
• Local Authorities
• Education Services
• Fire and Rescue Services
• Police and Judicial Services
• Funeral Service providers
• Other National and Government agencies e.g. National Confidential Enquiry into Patient Outcome and Death, National Cancer Registration and Analysis Service and Public Health England

We may also need to share your information with third party suppliers. These suppliers may not be directly involved with your care, but they provide us with support services in order for us to provide direct care to you. The support services they provide include:

• supplying us with management information systems, databases and solutions used for administration processes and data-driven care delivery
• diagnostic and health monitoring solutions
• radiology services including medical and diagnostic imaging services
• healthcare technologies and solutions
• innovative prosthetic services
• consulting, auditing, counter fraud, data analytics and innovation services
• computer disposal and data destruction services
• solutions for risk management, monitoring patient safety, reporting incidents and adverse events and ensuring the cyber security, availability, integrity and confidentiality of our information
• survey services
• systems for managing policies, training and learning content
• physical security solutions and services
• managing and maintaining the sites and systems to ensure they work effectively
• technical support on the systems when required

Information shared with these organisations are subject to strict information sharing agreements established following robust risk assessments. Personnel from these organisations may have access to your information during the course of providing the above support services. However, it will be limited to only personnel who need access in order to deliver the services they provide. The information disclosed will be limited to what is relevant, necessary and adequate for the purposes for which we have engaged with the third-party supplier.

Legal Basis for sharing with third-party organisations

The legal basis relied on by the Trust to share your personal data with third party organisations and suppliers is set out in Article 6(1)(e) of the GDPR which allows data to be processed where the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

Where special category personal data such as health records are shared, the Trust relies on an additional condition set out in Article 9 (2)(h) of the GDPR which allows data to be processed where “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional subject to safeguards.”

Exceptions

We will always seek your permission to share your information with third party organisations for purposes other than your direct care. However, in exceptional situations we may need to share your information without your permission if:

• It is in the public interest – for example, there is a risk of death or serious harm to yourself or another person or a child
• The Registrar of Births, Deaths and Marriages asks for the contact details of the next of kin, to help carry out their statutory duty to register the birth or death of a patient.
• There is a legal need to share it – for example, to protect a child under the Children Act 1989
• A court order tells us that we must share it
• We are subject to the Care Quality Commission’s powers under the Health and Social Care Act 2008 to access and use information where they consider it necessary to carry out their functions as a regulator.
• There is a legitimate enquiry from the police under the Data Protection Act for information related to a serious crime
• You are subject to the Mental Health Act (1983), there are circumstances in which your nearest relative must receive information even if you object
• Your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases.

Further Information

If you would like further information on a specific third-party organisation or supplier with whom we share information, please contact the Data Security and Protection team at:

Data Security and Protection Team
Northampton General Hospital
Cliftonville
Northampton
NN1 5BD
Telephone:01604 543881
Email: ngh-tr.data.protectionact@nhs.net

The Trust may sometimes use service providers who process information in other countries, both within and outside the European Economic Area (EEA).

As a result, it may sometimes be necessary for personal data to be transferred overseas. However, before any transfer is made, the Trust will carry out the necessary risk assessments including Data Protection Impact Assessments to make sure that appropriate safeguards are in place so that the transfer of the data, its processing, storage and retention are securely controlled and in full compliance with the requirements of the Data Protection law.

If your data is transferred overseas there will be a contract in place, and a Data Processing Agreement that ensures responsibility for safeguarding data.

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including the purposes of providing health care services and satisfying any legal obligation.

Retention periods for personal data will vary according to the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We ordinarily follow the retention periods set out in the NHS Records Management Code of Practice.

You should be aware that Care Records are ordinarily retained for eight years after which, it will be reviewed and transferred to the place of deposit if appropriate for archiving.

If we are able to anonymise your personal data so that you can no longer be identified from it, we may use such information without further notice to you.

The Trust has a Documentation Management Policy (NGH-PO-123). This is based on the NHS Records Management Code of Practice. You can access the NHS Records Management Code of Practice here. Records Management Code of Practice - NHSX

For information on your rights and how you may exercise them, please see your ‘Your Information Rights’ section on the Trust website here.

The Trust may use photographs, video footage and audio recordings where an individual can be clearly identified for the purposes of promoting its work. We will only use your image or audio if we have obtained your explicit written consent. You can request the photo, video or audio to be removed from the NGH photo library at any time by contacting ngh-tr.communications@nhs.net. Every effort will be made to remove the content however it may not be possible to control use of the photograph, video or audio completely.

Photographs, videos and audio recording may be:

• Used in the hospital magazine Insight
• Used in promotional materials such as posters or adverts
• Used on the NGH website, social media channels and other digital communications
• Used in news media and their associated websites and social media channels including print, television and radio
• Stored in the NGH photo library

The Trust has the ability to record telephone calls. Calls are recorded for the purposes of quality and training, protection of patients and staff, documenting information on your medical record or identifying issues in processes with a view to improving them. Calls may be shared internally with healthcare professionals and support staff who are involved in your direct care provision on a need to know basis. In the event of an incident, certain members of staff in the Audit, Risk or Governance teams may have access to call recordings in order to facilitate the investigation of the incident. Call recordings will not be shared outside of the Trust, unless we have a legal requirement to do so.

All records held by the Trust are subject to the Records Management Code of Practice for Health and Social Care Act 2016 (the Code). The Code sets out best practice guidance on how long we should keep your information before we are able to review and securely dispose of it. We will keep your call recordings as long as we are required to do so by the Code. Recordings for children are kept for a maximum of 25 years and recordings for adults are kept for a maximum of 15 Years.

You have a right to access your call recordings under data protection law, this is called a Subject Access Request (SAR). You may request access to your call recordings through a secure electronic method. To make your request, please follow this link. Choose “Don’t have an account? Sign up”, then you can either: register on the site or enter as a guest. Then choose the most appropriate on-line application form.

If you have any problems accessing the on-line form, please give the Access Team a call on 01604 544776. Your Subject Access Request (SAR) will be dealt with under the terms of the Data Protection Act 2018, the General Data Protection Regulation 2016 and the Access To Health Records Act 2018. Follow this link for further information on Subject Access Requests.

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice.

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.  Further information on gov.uk is also available.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.  The Trust is working with several local Health Providers including Three Shires Hospital and Isebrook and who will also need to share your confidential patient information with, if they are dealing with your care directly.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation. 

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.  

In order to ensure that eligible patients are offered a vaccination as quickly as possible, we may use data about upcoming outpatient appointments to identify patients that can be offered a vaccine. If you are identified as eligible you will be contacted by a member of Northampton General Hospital staff and offered the opportunity to make a booking for a vaccination at the Moulton Park vaccination centre. This is optional and you do not have to accept this offer.

We are also working with other companies which are providing tools and systems which enable the Trust to work more effectively.  These include:

Doccla

Butterfly IQ

Attend Anywhere

Microsoft Teams

Consultant Connect

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

At Northampton General Hospital we are committed to providing the best possible experience to our patients.

We use national surveys such as the friends and family test to find out about your experience after receiving a service from Northampton General Hospital. Information about the friends and family test can be found here.

From time to time we may contact patients that have been on a specific care pathway to find out about their experience in order to improve our services. We take care to ensure that any patients that have opted out of receiving patient experience questionnaires are not contacted.

Whilst responses from patients are really important to us and help us to shape our services and provide the best possible care for our future patients, you do not have to respond to these requests if you don’t want to.

If you would like to opt out of receiving patient experience questionnaires please contact the Patient Experience Team using the following email address: ngh-tr.patientexperience@nhs.uk

We get information about you from the following sources:

• Directly from you
• From an employment agency
• From referees, either external or internal, providing confidential information about your suitability to the role
• Inter Authority Transfer (IAT) – information held by your previous NHS employer
• From the Disclosure and Barring Service where applicable, which will inform us about any criminal convictions you may have
• From Occupational Health and other health providers
• From Pension administrators when transferring within the NHS
• From Her Majesty’s Revenue and Customs (HMRC) relating to your pay, tax and employment
• From government departments about your right to work and visa applications
• From your Trade Union
• From providers of staff benefits
• Confirmation of your registration with a professional body
• CCTV images taken using our own CCTV systems

When you apply for a position within the Trust you will provide us with relevant information about you, including:

• Name
• Address and telephone contact details
• Employment history
• Qualifications
• Referee details

During the recruitment and selection process we will add further information including:

• Publicly available information such as social media presence
• Selection information including correspondence, interview notes, and results of any selection tests etc.

For the purposes of carrying out employee verification checks prior to an employment offer, we will collect additional information from you including:

• Copy of qualifications/ certificates
• Pre-employment checks, including references, identity documents and ‘right to work’ information
• Bank details

Following your appointment, we may add any other information you supply to us or is required as part of your employment including:

• Training, appraisal and revalidation information
• Occupational health information (medical information including physical or mental health conditions)
• Details of any absences (other than holidays) including statutory parental leave and sick leave
• Vaccination status (including Flu and COVID-19)
• Information relating to health and safety
• Employment tribunal applications
• Complaints
• Accidents
• Incident details

We will only use your personal data when the law allows us to. The Data Protection law sets out the legal bases for processing personal data. The most common legal bases we rely on for processing your personal data are:

• Where we need to perform the employment contract we have entered into with you.
• Where we need to comply with a legal obligation.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where it is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

We ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if the third party agrees to comply with those procedures and policies, or if it puts in place adequate measures.

Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.
Your personal data is held in both electronic and paper formats. Information may be held centrally by the Human Resources (HR) department and locally with your line manager.

All paper files are kept in secure locked cabinets/cupboards and only relevant staff will have access to this information.

Electronic information is accessed on a need-to-know basis only using the Trust’s Electronic Staff Record (ESR) system. Some information may be held on the Trust’s secure drives or shared folders where access is only granted to appropriate individuals.

The Trust will use your information to administrate your employment and associated functions. Your personal data will be shared between relevant colleagues who legitimately need the information to carry out their duties e.g. your line manager and the Human Resources (HR) department.

The Trust uses staff data for all purposes associated with the administration of the employer/employee relationship and to meet our legal obligations. The purposes for which we may use staff data (including sensitive personal information) include:

At the time of your recruitment, we take photographs which are then used for smartcards and ID Cards. This photograph may also be used in local/departmental areas and on the hospital intranet page to support with identification of employees. You may be asked to update this image on a regular basis to ensure that it is still usable for the purpose of employee identification.
If you agree to your photograph being taken, or take part in a video or audio recording for any purpose other than for smartcards and ID cards (such as publishing, republishing, transmitting or broadcasting across a range of print, online, broadcast and social media channels to promote the principles and practices of the hospital), we will first seek your consent.
We will also seek your consent to store images and recordings in the NGH photo library for three years.

The Trust may disclose personal and sensitive information to a variety of recipients including:

• Our employees, agents and contractors where there is a legitimate reason for them receiving the information
• Current, past or potential employers of our employees to provide or obtain references
• Professional and regulatory bodies (e.g. Nursing and Midwifery Council (NMC), Health and Care Professions Council (HCPC), General Medical Council (GMC)) in relation to the confirmation of conduct including complaints, job description and information provided as part of the recruitment process
• Government departments and agencies where we have a statutory obligation to provide information (e.g. HMRC, NHS Digital, Department of Health and the Home Office)
• The Disclosure and Barring Service (DBS) and DBS Update Service where we require a DBS check for certain roles
• Third parties who work with us to provide employee support services (e.g. counselling)
• Third parties who provide systems to help us provide quality health care to our patients
• Internal and external auditors
• Debt collection and tracing agencies
• Courts and tribunals
• Trade union and staff associations
• Survey organisations for example for the annual national NHS Staff Survey
• Training providers

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it and we will only ever use/share the minimum information necessary.

However, there are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

There are a number of circumstances where we must or can share information about you to comply with or manage:

• disciplinary/investigation processes and serious incident management, including but not limited to referrals to professional bodies, e.g. the Nursing and Midwifery Council and the General Medical Council and to seek advice from relevant professions for expert opinions
• legislative and/or statutory requirements
• court orders which may have been imposed on us
• NHS counter-fraud requirements
• requests for information from the police and other law enforcement agencies for the prevention and detection of crime, and/or fraud if the crime is of a serious nature

The University Hospitals of Northamptonshire NHS Group consisting of Kettering General Hospital and Northampton General Hospital have chosen to partner with Qualtrics to offer a ‘People Pulse Survey’ to Trust employees.

The aim of the survey is to obtain views and feedback from employees on a number of topics, and to gather ideas, thoughts and feelings about our individual workspace or the broader workplace and to understand what it is that the Group is doing well and what we can be doing even better. The People Pulse Survey will run frequently throughout each year.

Results will be presented at Group briefings and/or NGH briefings to share with you, what you and other colleagues have shared.

Results will be non-attributable and small number suppression will be used to prevent individuals being identified from aggregated responses.

In order to provide access to the survey and to allow the results to be grouped by department, NGH will share personal information with Qualtrics, this includes:

• Name
• Work Email Address
• Job Role

Whilst this information is not being shared at present, NGH will also be looking to transfer the following information:

• Age
• Gender
• Sexual Orientation
• Disability
• Ethnicity

Our legal basis for sharing this information is Article 9 (2) (b) of the UK GDPR. Sharing this special category data allows the Group to identify staff groups that may feel disadvantaged or marginalised, and to take action to address this. This is in line with our obligations to the Public Sector Equality Duty (Part 1 of Equality Act 2010).

On commencement of employment with the Trust, your personal data will be uploaded to the Electronic Staff Record (ESR). ESR is a workforce solution for the NHS which is used to effectively manage the workforce leading to improved efficiency and improved patient safety.

Factual references

In accepting employment, you accept that the following personal data will be transferred under a reference request programme if your employment transfers to another organisation:

• Name
• Date of Birth
• Dates of employment
• Most recent role title held on ESR
• Days and episodes of sickness in the last two years
• Any formal warnings or formal investigations pending including safeguarding concerns,
• Date, Level and outcome of DBS check undertaken

In accordance with the Trust’s Acceptable Use Policy (NGH-PO-1202) the Trust monitors the use of its IT systems and equipment and reserves the right to notify HR and the line manager of an employee where a violation of the policy is identified. All employees consent to the monitoring and recording of electronic communications and IT systems for safety and security, namely for the purpose of ensuring that rules are being complied with and that usage is for legitimate business purposes. All employees shall comply with any electronic communications systems policies that the Trust may issue from time to time.

The Data Security and Protection Team will monitor access to all clinical systems. Any access without a justifiable and professional need will be investigated to ensure the access was appropriate. Unauthorised access to any clinical system will be classed as a breach of the Acceptable Use Policy and may result in disciplinary action.

All information created on Trust devices is the property of the Trust and therefore may be subject to audit and review. Records created on Trust systems, such as emails, may be required and disclosed in relation to a Subject Access Request or to support an investigation. In these situations, where doing so would not prejudice the investigation, the Trust will make every effort to inform employees of the requirement to access this information prior to access.

Your personal data may be transferred outside of the UK, for example, if the Trust uses a cloud information technology service which has servers in the EU or outside of the European Economic Area (EEA). A Data Protection Impact Assessment will have been completed to ensure that data is held securely and within the requirements of the law.

If your data is transferred overseas there will be a contract in place, and a Data Processing Agreement that ensures responsibility for safeguarding data.

It is important that the personal data that the Trust holds about you is accurate and kept up to date. It is your responsibility to ensure that the information held in the Electronic Staff Record (ESR) is correct and you should notify your line manager promptly of any changes to your details.

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including the purposes of satisfying any legal, accounting, or reporting requirements. Retention periods for personal data will vary according to the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We ordinarily follow the retention periods set out in the NHS Records Management Code of Practice.

You should be aware that employee documentation is ordinarily retained for six years after termination of employment, which is the statutory limitation period for breach of contract claims, and then promptly deleted once that period has passed. A summary of your records will be kept until your 75th birthday or six years after leaving whichever is the longer and then reviewed. For unsuccessful job candidates, documentation is retained for six months after candidate is rejected for a role and then deleted.

However, it should be noted that there is some legislation which requires certain health monitoring data to be retained for up to 40 years and for clinical staff where there is a negligence claim in relation to a child, the normal three year personal injury limitation period is extended until that child reaches 21 years of age. We have put a system in place so that the data of staff who may be at risk of certain diseases or where they were involved in an incident that could give rise to a clinical negligence claim which requires a longer retention period than six years, are marked appropriately as needing to be retained for a longer period.

If we are able to anonymise your personal data so that you can no longer be identified from it, we may use such information without further notice to you.

The Trust has a Documentation Management Policy (NGH-PO-123). This is based on the NHS Records Management Code of Practice. You can access the NHS Records Management Code of Practice here - Records Management Code of Practice - NHSX

For information on your rights, please see the ‘Your Information Rights’ section of the website, here.

The Trust works with partner academic organisations to support and mentor students and apprentices during their placements. Student and apprentice information is processed in accordance with the individual learning agreements in place with the academic institution.

This data is required to facilitate support and mentoring of individuals and to ensure compliance with the terms and conditions outlined via contract or learning agreement.

The lawful basis relied on to process student personal data for the purposes of employment is:

when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller(Art 6(1)(e))

As a Trust we have a duty to eliminate unlawful discrimination, harassment or victimisation, to advance equality of opportunity and to foster good relations. All public bodies must treat people from different groups fairly and equally. Data on equality and diversity is captured in accordance with the Equality Act 2010.

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;

Below are the lawful bases relied on by the Trust to process Equality and Diversity Data:

Special Category Personal Data provided to the Trust for the purpose of compliance with Equality legislation:

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement.