Privacy notice for staff

Who we are

University Hospitals Birmingham NHS Foundation Trust (UHB) is one of the highest performing healthcare organisations in Europe, with a proven international reputation for its quality of care, information technology, clinical education and training and research.

The Trust employs more than 20,000 staff and runs the largest single-site hospital in the country.

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z5568104.

• About us

Data Protection Officer

If you have any questions or concerns regarding how your data is being processed, please contact the Data Protection Officer.

Data Protection Officer
Information Governance Team
3rd Floor, Nuffield House
Queen Elizabeth Hospital Birmingham
Mindelsohn Way
Birmingham, B15 2TH

• InformationGovernance@uhb.nhs.uk

Information Commissioner's Office

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.

• ICO website

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.

• How to make a complaint to the ICO

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF

• 0303 123 1113
• 01625 545 745
• casework@ico.org.uk

Why we collect personal information about you

The Trust collects, stores and processes personal information about prospective, current and former staff to ensure compliance with legal or industry requirements.

Our legal basis for processing your personal information

As your employer, the Trust needs to keep and process information about you for employment purposes.

The information we hold and process will be used for our management and administrative use only.

We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately:

• during the recruitment process
• while you are working for us
• at the time when your employment ends
• after you have left

This includes using information to enable us to:

• comply with the employment contract
• comply with any legal requirements
• pursue the legitimate interests of the Trust
• protect our legal position in the event of legal proceedings

If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.

The Trust does not require explicit consent of employees to process their personal data if the purpose falls within the legal basis detailed above.

For further information on this legislation please visit the Government's UK legislation website.

• UK legislation website

What personal information we need to collect about you and how we obtain it

Personal information about you will largely be collected directly from you during your recruitment and employment. Personal information may also be collected from healthcare professionals in certain circumstances, through national checks such as the Disclosure and Barring Service (DBS) etc.

In order to carry out our activities and obligations as an employer we handle data in relation to:

• personal demographics (including gender, race, ethnicity, sexual orientation, religion, criminal matters)
• contact details such as names, addresses, telephone numbers and emergency contact(s)
• employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
• bank details
• pension details
• occupational health information (medical information including physical or mental health conditions)
• details of any absences (other than holidays) including statutory parental leave and sick leave
• information relating to health and safety
• trade union membership
• Trust governors/membership
• offences (including alleged offences), criminal proceedings, outcomes and sentences
• employment tribunal applications
• complaints
• accidents
• incident details

This personal information can be held in a variety of formats, including paper records, electronically on computer systems, and in video and audio files.

If you take part in a project that requires you to login and access a UHB REDCap database as a user, account manager, administrator or to complete survey etc., please see this information that supplements to this privacy notice.

• Privacy notice (REDCap)

What we do with your personal information

Your personal information is processed for the purposes of:

• staff administration and management (including payroll and performance)
• pensions administration
• business management and planning
• education, training and development requirements
• health administration and services
• provision of occupational health and well-being service to individuals
• information and databank administration
• maintaining the Trust membership database
• business management and planning, including accounting and auditing
• conducting performance reviews, managing performance and determining performance requirements
• complying with health and safety obligations
• equal opportunities monitoring

What we may do with your personal information

The personal information we collect about you may also be used:

• for crime prevention and prosecution of offenders
• sharing and matching of personal information for national fraud initiatives
• to monitor your use of information and communication systems to ensure compliance with IT policies
• when dealing with legal disputes involving you or other employees, workers or contractors, including accidents at work
• when gathering evidence for possible grievance or disciplinary hearings

Who we share your personal information with and why

We will not routinely disclose any information about you without your express permission. However, in order to enable effective staff administration and comply with our obligations as your employer, we will share the information which you provide during the course of your employment (including the recruitment process) with the NHS Business Services Authority for maintaining your employment records, held on systems including the national NHS Electronic Staff Record (ESR) system.

Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances, and with the appropriate security controls in place. Personal information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it, and will only ever use/share the minimum information necessary. However, there are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.

There are a number of circumstances where we must or can share information about you to comply with or manage:

• disciplinary/investigation processes, including referrals to professional bodies, e.g. the Nursing and Midwifery Council or the General Medical Council
• legislative and/or statutory requirements
• court orders which may have been imposed on us
• NHS counter-fraud requirements
• requests for information from the police and other law enforcement agencies for the prevention and detection of crime, and/or fraud if the crime is of a serious nature

How we maintain your records

Your personal information is held in both paper and electronic formats, for specified periods of time as set out in the NHS Records Management Code of Practice 2021.

• NHS Records Management Code of Practice

We hold and process your information  in accordance with the General Data Protection Regulation (GDPR) in conjunction with the Data Protection Act 2018, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements. 

We have a duty to:

• maintain records about you in accordance with retention guidelines
• keep records about you confidential and secure
• provide information in a format that is accessible to you

Your personal information will only be kept for as long as is necessary, and will be destroyed in accordance with the Trust's Record Management and Information Lifecycle Policy once you are no longer an employee (permanent or bank), worker, contractor or volunteer of the company and are not subject to a formal or applicable laws and regulations.

Conflicts of interest

All staff on consultant contracts, and those at Agenda for Change bands 8d and above, or equivalent contracts, are required to complete the conflicts of interest return on an annual basis. All staff at this level who have completed the declaration will have their conflicts of interest disclosed on the Trust website. Those staff at this level who have not completed a declaration of interest (which may be a formally recorded nil return) will have their names published on the conflicts of interest register as not submitting a declaration.

All data is processed in line with GDPR Article 6(1)(e): "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” based on NHS England contract requirements for publishing declarations of interest.

Use of email

Some services in the Trust provide the option to communicate with employees via email. Please be aware that the Trust cannot guarantee the security of this information while in transit, and by requesting this service you are accepting this risk.

Further information can be found in Trust HR and information governance policies and procedures, which are available on the Trust intranet.

Your rights

If we need to use your information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:

• request to access the personal data we hold about you, e.g. personnel records (see "how to access your personal data" below)
• request the correction of inaccurate or incomplete information recorded in our records, subject to certain safeguards
• request that your information be deleted or removed where there is no need for us to continue processing it and where the retention time has passed
• ask us to restrict the use of your information where appropriate
• in the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, to withdraw your consent for that specific processing at any time
• challenge any decisions made without human intervention (automated decision making)

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How to access your personal data

To access the data we hold about you, please contact the relevant team for your site (see below).

Please remember to include details of the information you require and your contact details. You will be required to provide your Trust identification badge together with a document showing your name and address, such as a utility bill.

Good Hope, Heartlands and Solihull hospitals, Birmingham Chest Clinic and Solihull Community Services

Please contact the Human Resources department.

Queen Elizabeth Hospital Birmingham and Umbrella sexual health services

HR First Contact team

• 0121 371 7612
• 0121 371 7613
• FirstContact@uhb.nhs.uk

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

COVID-19 testing

If you have been invited to undertake a coronavirus test, the following will apply to you. The test will confirm whether you currently have coronavirus. This is so that you can:

• take the right steps to look after yourself
• protect others
• know if you’re fit and well to return to your critical role
• potentially reduce the amount of time you have to self-isolate for

What data is collected?

For the COVID-19 vaccination programme, we will process the following information about you, provided your role is in scope of the vaccination programme:

• First and last name
• Assignment/employee number
• Vaccination status
• Exemption status

If you take a COVID-19 test, we will collect the following information from you:

• NHS number
• Other household members’ first and last names (as they may also be invited to test if they show signs of coronavirus)
• Mobile phone number
• Email address

The below information is also used in conjunction with the above. This information is already held by us in your HR file.

• Date of birth
• Sex
• Address (including postcode)
• National Insurance number

Why is this data collected?

We collect this data for the following reasons:

• To help the Trust meet its legal obligation to implement the mandatory COVID-19 vaccination of its staff
• Workforce planning, especially for patient-facing areas to ensure continuity of services
• Performing ID verification
• Processing your test and returning your results to you
• Sharing the data with governmental health bodies (see below) to inform local planning and responses to coronavirus
• Sharing the data with Public Health England to help plan and respond to coronavirus
• Undertaking quality assurance of the process, to ensure the maximum participation of staff in the vaccination programme, for example clinical process assurance
• Analysis to support operational decisions

Where possible, your data will be linked to your GP record. This will be done by NHS Digital, who will be acting jointly as Data Controllers with the Department of Health and Social Care. This will enable your GP to be informed of your vaccination records and test result without you needing to do anything.

Who the data is shared with

The sharing of the COVID-19 vaccination status data is necessary to allow the coordinated and effective roll out of this vaccination programme to staff, and help the Trust meet its legal obligation.

The Trust may be required to share the outcomes of COVID-19 tests to allow for greater understanding of COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks.

Recipients of your data may include:

• Public Health England
• NHS England and NHS Improvement
• NHS Digital
• your GP

Legal basis

For use of your personal information, the Trust is reliant upon:

• Article 6 1(c): "processing is necessary for compliance with a legal obligation to which the controller is subject” (with regard to the Health and Social Care Act 2008 (Regulated Activities) (Amendment) (Coronavirus) (No. 2) Regulations 2021
• Article 6 1(e): "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller"

For use of "special category information" (e.g. information regarding your health) the Trust is reliant upon the following legal bases:

• Article 9 2(b): "processing is required in the field of employment, social security or social protection law"
• Article 9 2(h): "processing is necessary for purposes of occupational medicine, and the provision health or social care" in conjunction with Data Protection Act (DPA) 2018 – Schedule 1, Part 1, condition 2 (2) (f) – health or social care purposes
• Article 9 2(i): "processing is necessary for public health purposes" in conjunction with DPA 2018 Schedule 1 Part 1 paragraph 3 public health

Changes to this privacy notice

We reserve the right to update this privacy notice at any time. We will notify you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.