Privacy Notice for Staff

Privacy Notice for Staff

PLEASE NOTE – this privacy notice supports the integration of the Royal Devon and Exeter NHS Foundation Trust and Northern Devon Healthcare NHS Trust. There may be differences in systems and processes as the organisations integrate with each other and this privacy notice is subject to change.

This Privacy Notice explains what personal information we collect from you, how we store this personal information, how long we retain it and with whom and for which legal purpose we may share it.

The Trust also publishes a number of specific notices which are available at the bottom of this page.

To find out more about our Privacy Notice please select the relevant section below:

Who we are?

Royal Devon University Healthcare NHS Foundation Trust is one of the highest performing healthcare organisations in Europe with a proven international reputation for its quality of care, information technology, clinical education and training and research.

The Trust employs more than 14,000 staff.

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z5368894.

For further information please refer to the Information Governance page on our website

Why do we collect personal information about you?

The Trust collects stores and processes personal information about prospective, current, and former staff to ensure compliance with legal or industry requirements.

We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.

Your information will never be sold for direct marketing purposes.

What is our legal basis for processing your personal information?

Processing of employee personal information is necessary for the purposes of carrying out the obligations
and exercising specific rights of the data controller (the Trust) or of the data subject (staff member) in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

The Trust does monitor staff where they access electronic systems and undertakes regular audits to ensure that where records are accessed, that the access is appropriate. It can be a disciplinary offence (including dismissal or criminal prosecution) to inappropriately access records about patients or work colleagues.

The Trust does not require explicit consent of employees to process their personal data if the purpose falls within the legal basis detailed above.

For further information on this legislation please visit:

What personal information do we need to collect about you and how to we obtain it?

Personal information about you will largely be collected directly from you during your recruitment and employment.

Personal information may also be collected from healthcare professionals in certain circumstances, through national checks such as DBS etc.

In order to carry out our activities and obligations as an employer we handle data in relation to:

  • Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
  • Contact details such as names, addresses, telephone numbers and emergency contact(s)
  • Employment records (including professional membership, references, and proof of eligibility to work in the UK and security checks)
  • Bank details
  • Pension details
  • Occupational health information (medical information including physical health or mental condition)
  • Information relating to health and safety
  • Trade union membership
  • Trust’s governors / membership
  • Offences (including alleged offences), criminal proceedings, outcomes, and sentences
  • Employment Tribunal applications, complaints, accidents, and incident details

What do we do with your personal information and what we may do with your personal information?

Your personal information is processed for the purposes of:

  • Staff administration and management (including payroll and performance)
  • Contact details such as names, addresses, telephone numbers and emergency contact(s)
  • Pensions administration
  • Business management and planning
  • Accounting and Auditing
  • Accounts and records
  • Education
  • Health administration and services
  • Information and databank administration
  • Crime prevention and prosecution of offenders
  • Sharing and matching of personal information for national fraud initiative

Who do we share your personal information with and why?

We will not routinely disclose any information about you without your express permission. However, in order to enable effective staff administration and comply with our obligations as your employer, we will share the information which you provide during the course of your employment (including the recruitment process) with the NHS Business Services Authority for maintaining your employment records, held on systems including the national NHS Electronic Staff Record (ESR) system. In addition to this we may also share with health Education England, Academic faculties, Streamlining programme and other NHS Trusts.

Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Personal Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Where possible, we will always look to anonymise/ pseudonymise your personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it and will only ever use/share the minimum information necessary. There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

For any request to transfer your data internationally outside the UK/EU we will make sure that an adequate level of protection can be satisfied before the transfer.

There are a number of circumstances where we must or can share information about you to comply or manage with:

  • Disciplinary/investigation processes; including referrals to Professional Bodies, e.g. NMC and GMC;
  • Legislative and/or statutory requirements;
  • A Court Orders which may have been imposed on us;
  • NHS Counter Fraud requirements;
  • Request for information from the police and other law enforcement agencies for the prevention and detection of crime and/or fraud if the crime is of a serious nature

Information for Epic Users - Please note that if you access Epic using your NHS Care Identity credentials, the identity access and management services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get a national digital identity and authenticate your claim to that identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click This restriction does not apply to the personal information you provide to us separately which is managed in accordance with our Privacy Policy.

How we maintain your records?

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice and National Archives Requirements.

We hold and process your information in accordance with the UK General Data Protection Regulation and Data Protection Act 2018, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:

  • maintain full and accurate records of your employment;
  • keep records about you confidential and secure;
  • provide information in a format that is accessible to you.

Use of Email - Some services in the Trust provide the option to communicate via email. Please be aware that the Trust seeks to comply with national requirements but cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk.

Further information can be found in our Information Governance website, which is available at:

What are your rights?

If we need to use your information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The UK General Data Protection Regulation and Data Protection Act 2018 gives you certain rights, including the right to:

  • Request to access the personal data we hold about you, e.g. personnel records. If you wish to do this, please contact the Trust’s Information Governance Office. Please remember to include details of the information you require plus contact details and two forms of identification such as a copy of your driving license/ passport and also a document with your name and address on such as a utility bill;
  • Request the correction of inaccurate or incomplete information recorded in our records, subject to certain safeguards. Contact the Information Governance Team for further information;
  • Request that your information be deleted or removed where there is no need for us to continue processing it and where the retention time has passed;
  • Ask us to restrict the use of your information where appropriate;
  • Ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information;
  • To object to how your information is used;
  • To challenge any decisions made without human intervention (automated decision making)

Who is the Data Protection Officer?

The Data Protection Officer can be contacted at the below email address:

For further details, please see:

How to contact the Information Commissioner's Office

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under Data Protection and Freedom of Information legislation. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the. ICO at:

Information Commissioner's Office
Wycliffe House
Water Lane

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Fax: 01625 524 510


Last updated: July 18, 2023.


Our site uses cookies to help give you a better experience. By continuing to use it you consent to the use of cookies as set out in our privacy policy.