Privacy notice for staff

This privacy notice explains what we do with information in relation to employees who are on a formal contract with the organisation, including substantive staff members, volunteers, bank workers etc.

This privacy notice explains what we do with your personal information where we are or have provided care to you. It tells you:

  • the information we collect about you
  • how we store this information
  • how long we retain it
  • who we may share it with
  • for which legal purpose we may share it

Staff testing for coronavirus

If you have been invited to undertake the coronavirus test, the following will apply to you in addition to our normal staff privacy notice.

Testing process

The test will confirm whether you currently have coronavirus. This is so that you can:

  • take the right steps to take to look after yourself
  • protect others
  • know if you’re fit and well to return to your critical role
  • potentially reduce the amount of time you have to self-isolate for

We (University Hospitals Birmingham NHS FT) will provide, administer and analyse all tests. We will be the Data Controller for any additional information collected about you for the purpose of the test, as well as test results.

What data is collected?

If you take the test, we will collect the following information from you:

  • NHS Number
  • other household members’ first and last names (as they may also be invited to test if they show signs of coronavirus)
  • mobile phone number
  • email address

The below information is also used in conjunction with the above. This information is already held by us in your HR file.

  • first and last name
  • date of birth
  • sex
  • address (including postcode)
  • National Insurance Number 

Why is this data collected?

  • performing ID verification
  • processing your test
  • returning your results to you
  • sharing your results with governmental health bodies (see below) to inform local planning and responses to coronavirus
  • sharing results with Public Health England to help plan and respond to coronavirus
  • undertaking quality assurance of the testing process, for example clinical process assurance
  • analysis to support operational decisions

Where possible, your test result will be linked to your GP record. This will be done by NHS Digital, who will be acting jointly as Data Controllers with the Department of Health & Social Care. This will enable your GP to be informed of your test result without you needing to do anything.

Who the data is shared with

The Trust may be required to share the outcomes of COVID-19 tests to allow for greater understanding of COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks.

Recipients of your data may include;

  • Public Health England
  • NHS England and NHS Improvement
  • NHS Digital
  • Your GP

Legal basis

For use of your personal information, the Trust is reliant upon the following legal basis:

  • Article 6 1(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

For use of "special category information" (e.g. information regarding your health) the Trust is reliant upon the following legal bases:

  • Art 9 2(h) processing is necessary for purposes of occupational medicine, and
  • Article 9 2(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
  • Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) – Health or social care purposes


Your information will be stored in line with the Records Management Code of Practice for Health and Social Care 2016. This means we will keep your information for up to eight years before we dispose of it.

Conflicts of interest

All staff on consultant contracts, and those at Agenda for Change grade 8d and above or equivalent contracts are required to complete the conflicts of interest return on an annual basis. All staff at this level who have completed the declaration will have their conflicts of interest disclosed on the Trust website. Those staff at this level who have not completed a declaration of interest (which may be a formally recorded nil return) will have their names published on the conflicts of interest register as not submitting a declaration.

All data is processed in line with GDPR “Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” based on NHS England contract requirements for publishing declarations of interest.


Personal data

"Personal data" means information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:

  • name
  • identification number
  • social media posts
  • location data
  • online identifier

Special category of personal data

"Special category of personal data" means information which is thought to be "extra sensitive" such as ethnicity, sexual orientation and religion.

Data controller

"Data controller" means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.


"Processing" means anything that is done to the personal data we hold.


"Pseudonymisation" is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information.

Who we are

University Hospitals Birmingham NHS Foundation Trust (UHB) is one of the highest performing healthcare organisations in Europe, with a proven international reputation for its quality of care, information technology, clinical education and training and research.

The Trust employs more than 20,000 staff and runs the largest single-site hospital in the country.

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z5568104.

Data Protection Officer

If you have any questions or concerns regarding how your data is being processed, please contact the Data Protection Officer.

Data Protection Officer
Information Governance Team
3rd Floor, Nuffield House
Mindelsohn Way
Birmingham, B15 2TH

Information Commissioner's Office

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.

Information Commissioner's Office website

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.

Information Commissioner's Office
Wycliffe House
Water Lane
Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate)
Telephone: 01625 545 745 (national rate)
Fax: 01625 524 510

Why we collect personal information about you

The Trust collects, stores and processes personal information about prospective, current and former staff to ensure compliance with legal or industry requirements.

Our legal basis for processing your personal information

As your employer, the Trust needs to keep and process information about you for employment purposes.

The information we hold and process will be used for our management and administrative use only.

We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately:

  • during the recruitment process
  • while you are working for us
  • at the time when your employment ends
  • after you have left

This includes using information to enable us to:

  • comply with the employment contract
  • comply with any legal requirements
  • pursue the legitimate interests of the Trust
  • protect our legal position in the event of legal proceedings

If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.

The Trust does not require explicit consent of employees to process their personal data if the purpose falls within the legal basis detailed above.

For further information on this legislation please visit the Government's UK legislation website.

What personal information we need to collect about you and how we obtain it

Personal information about you will largely be collected directly from you during your recruitment and employment. Personal information may also be collected from healthcare professionals in certain circumstances, through national checks such as the Disclosure and Barring Service (DBS) etc.

In order to carry out our activities and obligations as an employer we handle data in relation to:

  • personal demographics (including gender, race, ethnicity, sexual orientation, religion, criminal matters)
  • contact details such as names, addresses, telephone numbers and emergency contact(s)
  • employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
  • bank details
  • pension details
  • occupational health information (medical information including physical or mental health conditions)
  • details of any absences (other than holidays) including statutory parental leave and sick leave
  • information relating to health and safety
  • trade union membership
  • Trust governors/membership
  • offences (including alleged offences), criminal proceedings, outcomes and sentences
  • employment tribunal applications
  • complaints
  • accidents
  • incident details

This personal information can be held in a variety of formats, including paper records, electronically on computer systems, and in video and audio files.

What we do with your personal information

Your personal information is processed for the purposes of:

  • staff administration and management (including payroll and performance)
  • pensions administration
  • business management and planning
  • education, training and development requirements
  • health administration and services
  • information and databank administration
  • maintaining the Trust membership database
  • business management and planning, including accounting and auditing
  • conducting performance reviews, managing performance and determining performance requirements
  • complying with health and safety obligations
  • equal opportunities monitoring

What we may do with your personal information

The personal information we collect about you may also be used:

  • for crime prevention and prosecution of offenders
  • sharing and matching of personal information for national fraud initiatives
  • to monitor your use of information and communication systems to ensure compliance with IT policies
  • when dealing with legal disputes involving you or other employees, workers and contractors, including accidents at work
  • when gathering evidence for possible grievance or disciplinary hearings

Who we share your personal information with and why

We will not routinely disclose any information about you without your express permission. However, in order to enable effective staff administration and comply with our obligations as your employer, we will share the information which you provide during the course of your employment (including the recruitment process) with the NHS Business Services Authority for maintaining your employment records, held on systems including the national NHS Electronic Staff Record (ESR) system.

Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances, and with the appropriate security controls in place. Personal information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it, and will only ever use/share the minimum information necessary. However, there are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.

There are a number of circumstances where we must or can share information about you to comply with or manage:

  • disciplinary/investigation processes, including referrals to professional bodies, e.g. the Nursing and Midwifery Council and the General Medical Council
  • legislative and/or statutory requirements
  • court orders which may have been imposed on us
  • NHS counter-fraud requirements
  • requests for information from the police and other law enforcement agencies for the prevention and detection of crime, and/or fraud if the crime is of a serious nature

How we maintain your records

Your personal information is held in both paper and electronic formats, for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information  in accordance with the General Data Protection Regulation (GDPR) in conjunction with the Data Protection Act 2018, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements. 

We have a duty to:

  • maintain records about you in accordance with retention guidelines
  • keep records about you confidential and secure
  • provide information in a format that is accessible to you

Your personal information will only be kept for as long as is necessary and will be destroyed in accordance with the Trust's Record Management and Information Lifecycle Policy. Once you are no longer an employee (permanent or bank), worker, contractor or volunteer of the company and are not subject to a formal or applicable laws and regulations.

Use of email

Some services in the Trust provide the option to communicate with employees via email. Please be aware that the Trust cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk.

Further information can be found in Trust HR and information governance policies and procedures, which are available on the Trust intranet.

Your rights

If we need to use your information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:

  • request to access the personal data we hold about you, e.g. personnel records (see "How to access your personal data" below)
  • request the correction of inaccurate or incomplete information recorded in our records, subject to certain safeguards
  • request that your information be deleted or removed where there is no need for us to continue processing it and where the retention time has passed
  • ask us to restrict the use of your information where appropriate
  • in the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, to withdraw your consent for that specific processing at any time
  • challenge any decisions made without human intervention (automated decision making)

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How to access your personal data

To access the data we hold about you, please contact the relevant team for your site (see below).

Please remember to include details of the information you require and your contact details. You will be required to provide your Trust identification badge together with a document showing your name and address, such as a utility bill.

Queen Elizabeth Hospital Birmingham and Umbrella sexual health services

HR First Contact team

Telephone: 0121 371 7612
Telephone: 0121 371 7613 or by e

Heartlands, Good Hope and Solihull hospitals, Birmingham Chest Clinic and Solihull Community Services

Please contact the Human Resources department.

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time. We will notify you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.