University College London NHS Foundation Trust ("the Trust") is committed to protecting your personal data. This Notice sets out important information about how the Trust ("the Trust" or "we" or "us") collect and use your personal data during the course of your working relationship with us and after this working relationship has ended. It applies to all employees, workers and contractors, including anyone whose data we hold by virtue of them being on an honorary contract at the Trust. Any references used during the course of this Notice that refer to "employer", "employee", or "employment" should not be used to infer that any employment relationship exists between the Trust and any workers, honorary contract holders or contractors to whom this Notice applies.


You should read this Notice carefully and raise any questions you may have with your local HR team or Data Protection Officer.


This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time. We may also notify you in other ways from time to time about the processing of your personal information.




In connection with your working relationship with the Trust, the relevant data controller is University College London NHS Foundation Trust, 250 Euston Road, London, NW1 2PG.


The current up to date version of this Notice is available here on myUCLH.

We encourage you to regularly review the Notice to ensure that you are always aware of the personal information we collect and use.




Personal data means information which identifies you and relates to you as an individual. As your employer, the Trust will collect, use and store your personal data for a wide variety of reasons in connection with the working relationship. We have set out below the main categories of personal data which we process on a day to day basis:


  • personal contact information (including your name, home address, personal telephone number(s) and personal e-mail address)*
  • business contact information (including e-mail address and telephone number)
  • job title
  • date of birth*
  • driving licence number / copy of driving licence*
  • ·national Insurance number*
  • gender
  • marital status
  • emergency contact information and next of kin
  • photograph*
  • documents evidencing your right to work (including information about your immigration status where relevant)*
  • documents gathered during the recruitment process (including cv, application form, cover letter, any other information obtained as part of the application process, references, professional memberships and qualifications, background vetting information)*
  • documents maintained and updated during your working relationship relating to professional memberships and qualifications and statutory and mandatory training (including but not limited to professional revalidation)*
  • general HR records including details of training, disciplinary and grievance matters,benefits, holiday and other absences, along with a copy of your employment contract / contract for services, performance records (including appraisals) and compensation history*
  • information gathered through the Trust's monitoring of its IT systems, building access records / proximity card records and CCTV recording*
  • information about your use of our information and communications systems
  • personal data which you otherwise voluntarily provide, for example when using your Trust e-mail account
  • Payroll data accessible via ESR including bank account details*
  • Your Covid-19 testing history where you choose to use the trust’s testing service.
  • Your Covid-19 vaccination status and history as held both on the National Immunisation and Vaccination System and, if applicable, your Electronic System Record.


The personal data provided by you and identified at * above is mandatory in order for us to administer the working relationship, and/or comply with statutory requirements relating to immigration or taxation.  Failure to provide mandatory personal data may affect our ability to accomplish the purposes stated in this Notice and potentially affect your ongoing working relationship.


This information may also be used to support staff experience and enable management to carry out their duty of care to staff


The list set out above is not exhaustive, and there may be other personal data which the Trust collects, stores and uses in the context of the working relationship. We will update this Notice from time to time to reflect any notable changes in the categories of personal data which we process.


The majority of the personal data which we process will be collected directly from you. In limited circumstances your personal data may be provided by third parties, such as former employers, an employment agency or background check provider, credit reference agencies, official bodies (such as regulators , Health Education England or criminal record bureaus) and medical professionals.




The Trust uses your personal data for a variety of purposes in order to perform its obligations under your employment contract, to comply with legal obligations or otherwise in pursuit of its legitimate organisational interests. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information. We have set out below the main purposes for which employee personal data is processed:


  • checking you are legally entitled to work in the UK
  • determining the terms on which you work for us
  • paying you and, if you are an employee, deducting tax and National Insurance contributions and the administration of benefits under the employment contract
  • liaising with your pension provider, as applicable
  • making deductions to your salary for any trade union membership fees, as applicable
  • the day to day management of tasks and responsibilities
  • education, training and development requirements
  • ascertaining your fitness to work
  • managing sickness absence
  • to manage and assess performance, including the conduct of annual appraisals, as applicable
  • to consider eligibility for promotion or for alternative roles within the Trust, as applicable
  • to comply with legal requirements, such as reporting to the local tax authority or professional regulators
  • to address disciplinary and grievance issues with individual employees
  • to protect the Trust's confidential and proprietary information, and intellectual property
  • to monitor the proper use of the Trust's IT systems
  • to prevent fraud against the Trust and its clients
  • to safeguard the interests of the Trust's patients
  • to conduct data analytics studies to review and better understand employee issues such as sickness absence levels, performance and vacancy rates
  • to monitor and evaluate the Trust's performance against its organisational and staffing objectives
  • to comply with any statutory, contractual or regulatory obligations, including but not limited to information provided to the CQC, NHS Improvement and regulators of clinical professionals such as the Nursing and Midwifery Council and General Medical Council or in relation to gender pay gap reporting and/or the NHS Workforce Race Equality Standard (WRES) and the Workforce Disability Equality Standard (WDES)
  • if an organisational transfer or change of ownership occurs or service transfers as defined by TUPE
  • for the purposes of auto enrolment to the Trust Bank scheme
  • to enable managers to carry out their duty of care to staff they line manage to improve staff experience, engagement, health and well-being
  • to operate contact tracing of staff potentially exposed to infection outbreaks
  • to identify staff (including those working under a honorary contract and directly engaged bank staff) who may need Covid-19 vaccination, to ensure the Trust complies with its legal obligations in respect of mandatory vaccination for health workers


Again, this list is not exhaustive and the Trust may undertake additional processing of personal data in line with the purposes set out above. The Trust will update this Notice from time to time to reflect any notable changes in the purposes for which it processes your personal data.


The Trust also establishes links across systems for records relating to each member of staff. This is so that we can be sure of who each person is on each of our systems. This enables the Trust to improve the quality of the data that it holds about you, including standardising your details on all systems. The linkages also mean that business processes (in particular the process for someone joining the trust) operates more smoothly. At times the linkages will be used to answer other questions relating to care for patients.


The Trust may use the contact information it holds about you at the point you leave to contact you during the 12 months after your contract termination date. This is for limited purposes for example, celebratory purposes, exit interviews




Certain categories of data are considered "special categories of personal data" and are subject to additional safeguards. The Trust limits the special categories of personal data which it processes as follows:


  • Health Information


The Trust may process information about an individual's physical or mental health in compliance with its obligations in connection with employment, in particular (i) to administer sick pay entitlements; (ii) to facilitate the assessment and provision of NHS Injury Allowance; (iii) to provide appropriate workplace adjustments; (iv) to comply with patient care, health regulatory and health and safety obligations; and (v) to maintain a sickness absence record.


In recognition of the impact of the COVID-19 pandemic, the government has specified that sickness or self isolating absence episodes related to COVID-19 will not affect service entitlements for healthcare workers.  To ensure that the Trust complies with this allowance, COVID-related testing data reported via the Staff Testing Service will be shared with the trust to ensure that individual’s service entitlements are correctly managed on ESR. 


We will use the results of staff tests for Covid-19 as part of our contact tracing processes in response to Covid-19 outbreaks.


We will also use information from ESR and the National Immunisation and Vaccination Service (NIVS) to identify those staff that might need vaccination against Covid-19.  We will access information on NHS numbers for our staff via the NHS Spine System to ensure we match the right vaccination information for each member of staff. 


We will always treat information about health as confidential and it will only be shared internally, or as specified by law- see section below on the Coronavirus (COVID-19), where there is a specific and legitimate purpose to do so.  Please see the here for a specific privacy notice on how we treat staff testing and vaccination data related to COVID-19.  We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorised access, use, alteration, or disclosure.


Health information will typically be retained during the course of an individual's working relationship with the Trust. Following the termination of an individual's working relationship, we will typically retain health information held on the Trust system for 6 years subject to any exceptional circumstances and/or to comply with particular laws or regulations. Health information held on ESR (including periods of absence and the reasons for such absences) may be held for longer periods.


  • Coronavirus (COVID-19), including vaccinations


The government has issued a Control of Patient Information (COPI) notice to enable the health and social care system to take action to manage and mitigate the spread and impact of the current outbreak of Covid-19.  All NHS Trusts are required to support reporting systems to share confidential patient information (including staff health information) amongst health organisations and other appropriate bodies for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.


This will mean the Trust will use and share COVID-19 related health record information as required by the COPI notice referenced in the above paragraph to support the national response to the COVID-19 pandemic.  This includes information on flu vaccinations and your COVID vaccination status, which will be held securely and accessible only by those who need to do so.  The Trust will only share such information with external organisations in line with regulatory and mandatory requirements as a healthcare provider and for no other purpose.


For more information on these requirements, please see link here


  • Disclosure and Barring checks/information (DBS)



We are required to carry out DBS checks for specific positions and professions.  In all cases, we carry out the checks in line with the eligibility guide for DBS checks.


For clinical and other regulated roles, the DBS checks may be repeated periodically during the course of the working relationship in line with our regulatory obligations.


We will always treat DBS information as confidential and it will only be shared internally where there is a specific and legitimate purpose to do so. We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure.


Information about a DBS check such as the date when a DBS check was made, what type of DBS check was carried out and the fact that the outcome of the DBS check was deemed to be satisfactory by the Trust will typically be retained up to a maximum of 12 months on the Trust system, subject to any exceptional circumstances and/or to comply with particular laws or regulations. Information held on ESR will be held for longer.


  • Equal Opportunities Monitoring


The Trust is committed to providing equal opportunities for employment and progression to all of its employees and from time to time it will process information relating to ethnic origin, race, nationality, sexual orientation and disability, alongside information relating to gender and age, for the purposes of equal opportunities monitoring and gender pay reporting.


We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorised access, use, alteration, or disclosure.  In addition, this monitoring will always take place in accordance with appropriate safeguards as required under applicable law, including:


  • the provision of information relating to ethnic origin, race, nationality, sexual orientation and disability for the purposes of monitoring will be voluntary and processed for this purpose only in accordance with any consent you may already have given;


  • wherever possible, the monitoring will be conducted on the basis of using anonymised data so individuals cannot be identified;





The Trust will share your personal data with other parties only in limited circumstances and where this is necessary for the performance of the employment contract or to administer the working relationship with you or to comply with a legal obligation, or otherwise in pursuit of its legitimate business interests as follows:


  • payroll providers


  • benefits providers


  • background vetting specialists


  • ·occupational health providers


  • in response to requests for references from third parties (i.e. prospective future employers)


  • ·other NHS organisations who have made an inter-authority transfer request


  • external learning providers


  • third party suppliers to the Trust where necessary (i.e. IT and security providers)


  • staff representatives, trade union representatives


  • social welfare entities for taxation purposes or where such information is requested in order for you to receive benefits


  • the Department of Health/Health Education England


  • any applicable regulatory body


  • HMRC and/or any other applicable government body


  • accountants, lawyers and other professional advisers


  • Bank Partners for the purposes of administering the Trust's Bank scheme and auto enrolment of staff to the Bank


  • Data sharing required by TUPE e.g. employee liability information


  • In accordance with requirements set nationally to support national response to COVID-19.


In all cases not governed by regulation or legislation, your personal data is shared under the terms of a written agreement between the Trust and the third party which includes appropriate security measures to protect the personal data in line with this Notice and our obligations. The third parties are permitted to use the personal data only for the purposes which we have identified or as is permitted by law, and not for their own purposes, and they are not permitted to further share the data without our express permission. 


As an employer within the National Health Service, the Trust may be required to share your personal data with other Trusts from time to time for the purposes set out in this Notice. In particular, the Trust may share your personal data for the purposes of facilitating cross organisation clinical care, operational effectiveness and medical research.




The Trust's policy is to retain personal data only for as long as needed to fulfil the purpose(s) for which it was collected, or otherwise as required under applicable laws and regulations (including compliance with mandatory COVID-19 vaccination requirements).  Under some circumstances we may anonymise your personal data so that it can no longer be associated with you. We reserve the right to retain and use such anonymous data for any legitimate business purpose without further notice to you.


Once you are no longer an employee, worker or contractor of the Trust we will typically retain data for the periods set out in the attached Schedule 1, subject to any exceptional circumstances and/or to comply with particular laws or regulations.




The Trust will always seek to process your personal data in accordance with its obligations and your rights.


Save where it is necessary, for example, where we use e-rostering software to determine shift patterns or otherwise (for the purposes of patient safety), you will not be subject to decisions based solely on automated data processing without your prior consent.


In certain circumstances, you have the right to seek the erasure or correction of your personal data, to object to particular aspects of how your data is processed, and otherwise to seek the restriction of the processing of your personal data. You also have the right to request the transfer of your personal data to another party in a commonly used format. If you have any questions about these rights, please contact your local Data Protection Officer using the details set out below.


You have a separate right of access to your personal data processed by the Trust. You may be asked for information to confirm your identity and/or to assist the Trust to locate the data you are seeking as part of the Trust's response to your request.  If you wish to exercise your right of access you should set out your request in writing to your local Data Protection Officer using the details set out below.


Finally, you have the right to raise any concerns about how your personal data is being processed with the Information Commissioner's Office (ICO) by going to the ICO's website: or contacting the ICO on 0303 123 1113 or




It is important that the personal information we hold about you is accurate and current. Please check that your personal information is up to date and keep us informed if your personal information changes during your working relationship with us by using the employee self-service portal.





The Trust has appointed a Data Protection Officer to oversee compliance with this Notice and to deal with any questions or concerns.   If you would like further information about the matters set out in this Notice, please contact the Trust's Data Protection Officer or a member of the HR Team.


The contact details for your Data Protection Officer are set out below:



Matthew Hall at

Notice update: January 2021