Board Member Privacy Notice

Royal Devon University Healthcare NHS Foundation Trust is required to provide you with details on the type of personal information which we collect and process. In addition to any other privacy notice which we may have provided to you, this notice relates to the information collected and processed in relation to the Fit and Proper Persons Test (FPPT).

The FPPT in the Electronic Staff Record (ESR) is commissioned by NHS England.

Contact: Professor Adrian Harris, Chief Medical Officer & Senior Information Risk Owner (SIRO)
Address: Royal Devon and Exeter Hospital (Wonford), Barrack Road, Exeter. EX2 5DW
Phone Number 01392 411611

The type of personal information we collect is in relation to the FPPT for board members and is described below, much of which is already collected and processed for other purposes than the FPPT:

  1. Name, position title (unless this changes).
  2. Employment history – This would include detail of all job titles, organisation, departments, dates, and role descriptions.
  3. Job description and person specification in their previous role.
  4. Date of medical clearance.
  5. Record of training and development in application/CV.
  6. Training and development in the last year.
  7. Appraisal incorporating the leadership competency framework has been completed.
  8. Record of any upheld, ongoing or discontinued disciplinary, complaint, grievance, adverse employee behaviour or whistle-blow findings.
  9. DBS status.
  10. Registration/revalidation status where required.
  11. Insolvency check.
  12. A search of the Companies House register to ensure that no board member is disqualified as a director.
  13. A search of the Charity Commission’s register of removed trustees.
  14. A check with the CQC, NHS England and relevant professional bodies where appropriate.
  15. Social media check.
  16. Employment tribunal judgement check.
  17. Exit reference completed (where applicable).
  18. Annual self-attestation signed, including confirmation (as appropriate) that there have been no changes.

Processing of this data is necessary on the lawful basis set out in Article 6(1)(e) UK GDPR as the foundation for the database. This is because it relates to the processing of personal data which is necessary for the performance of the fit and proper person test which is carried out in the public interest and/or in the exercise of official authority vested in the controller.

For CQC-registered providers, ensuring directors are fit and proper is a legal requirement for the purposes of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, and organisations are required to make information available connected with compliance to the CQC.

How we get the personal information and why we have it

Most of the personal information we process is provided to us directly by you as part of your application form and recruitment to satisfy recruitment checks and the FPPT requirements.

We may also receive personal information indirectly, from the following sources in the following scenarios:

  • References when we have made a conditional offer to you.
  • Publicly accessible registers and websites for our FPPT.
  • Professional bodies for FPPT to test registration and or any other ‘fitness’ matters shared between organisations.
  • Regulatory bodies, eg CQC and NHS England.

We use the information that you have given us to:

  • conclude whether or not you are fit and proper to carry out the role of board director
  • inform the regulators of our assessment outcome.

We may share this information with NHS England, CQC, future employers (particularly where they themselves are subject to the FPP requirements), and professional bodies.

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:

  • We need it to perform a public task.

How we store your personal information

Your information is securely stored. We keep the ESR FPPT information including the board member reference, for a career long period. We will then dispose of your information in accordance with our Records Management Policy.

Your data protection rights

Under data protection law, you have rights including:

  • Your right of access – You have the right to ask us for copies of your personal information.
  • Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
  • Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
  • You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at if you wish to make a request.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address

Information Commissioner’s Office
Wycliffe House
Water Lane

Helpline number: 0303 123 1113 ICO website:

Last updated: October 06, 2023.


Our site uses cookies to help give you a better experience. By continuing to use it you consent to the use of cookies as set out in our privacy policy.