Staff Privacy Notice

The Royal National Orthopaedic Hospital NHS Trust is the largest Orthopaedic hospital in the UK and is regarded as a leader in the field of orthopaedics both in the UK and world-wide. This Privacy Notice explains how the Trust collects and processes your personal information whilst you are working for the Trust.

What information does the Trust collect about you?

The Trust’s legitimate interest for collecting information about you includes health and safety reasons, performance and conduct issues and includes the safe delivery of patient services and patient care. If your personal information is not shared with the Trust, it may be unable in some circumstances to comply with its obligations. In such instances, the Trust will inform you about implications that this may have. On commencement of employment with the Trust, your personal data will be uploaded to the Electronic Staff Record (ESR). ESR is a workforce solution for the NHS which is used by the Trust to effectively manage the workforce leading to improved efficiency and improved patient safety.

The Trust collects and processes information about you in order to manage your employment relationship with the RNOH. The information held about you will enable the Trust to comply with the employment contract and with its other legal requirements.

The information that the Trust collects and processes about you includes:

  • Application forms and references
  • Contracts of employment
  • Salary/payroll and expenses
  • Contact and emergency contact details (including mobile for text messaging service)
  • Absences (holiday, sickness etc.)
  • Equal opportunities monitoring
  • Occupational health records
  • Your career history
  • Training records
  • Appraisals
  • Performance management records
  • Disclosure and barring service and criminal convictions
  • Professional registration details

Where does the Trust collect information about you?

The Trust collects information that is provided by you to it. However, your personal information may be provided to the Trust from other internal sources, such as from your manager, or in some cases, from external sources such as from your referees. Also, during the recruitment process, information about you may have been provided through a third party, for example from NHS jobs; LinkedIn; E-Trac and other jobs board. The information that the Trust receives from these third parties, would have been provided and agreed in the terms and conditions that you would have agreed to when you submitted your job application to the Trust.

Who does the Trust share your information with?

Where necessary, the Trust will disclose information with third parties and/or other NHS organisations. The Trust will only disclose information about you to third parties if the Trust is legally obliged to do so, where the Trust needs to comply with its contractual duties to you, or where a legitimate interest exists. As an example, the Trust may need to pass on certain information about you to its external payroll provider (Shared Business Services), pension provider and occupational health (OH Assist).

In accepting employment with the Trust, you accept that your personal data will be transferred under the streamlining programme if your employment transfers to another NHS organisation. Streamlining is the process by which certain personal data is transferred from one NHS organisation to another when your employment transfers. NHS organisations have a legitimate interest in processing your data in this way in establishing the employment of a suitable workforce.

The streamlining programme is a data sharing arrangement which is aimed at improving efficiencies within the NHS both to make costs savings for Trusts but also to save you time when your employment transfers.

Details of transfers to third-party country and safeguards

The Trust may transfer information about you to other NHS organisations for purposes connected with your employment or with the management of the Trust’s business. In limited, but necessary circumstances, your information may be transferred outside of the European Union (EU) and/or European Economic Area (EEA) or to an international organisation to comply with its legal or contractual requirements. If your information were to be transferred, the Trust would ensure that safeguards were in place prior to transmitting your information. The safeguards adopted would be by a secure connection and the Trust would ensure that the receiving organisation had adequate controls in place.

What special categories of personal information does RNOH hold about you?

Where the Trust processes special categories of information in relation to your racial or ethnic origin, political opinions, religious and philosophical beliefs, Trade Union membership, biometric data or sexual orientation; the Trust will always obtain your explicit consent to those processes unless this is not required by law or the information is required to protect your health in an emergency. Where the Trust processes data with your consent, you have the right to withdraw that consent at any time.

What systems are used by the Trust to ensure user compliance with policy?

The Trust monitors computer, internet, email and telephone/mobile telephone use, as detailed in its “Internet Usage, Email Usage, IT and Information Security Policy” which is available on the Grapevine (Intranet). Access areas that require staff to use swipe access cards and NHS Smartcards are monitored. The Trust uses Closed Circuit Television (CCTV) to monitor and to record activities for the purposes of safety and security as detailed in its “Closed Circuit Television (CCTV) Policy” which is available on the Grapevine (Intranet).

What is automated decision making and is this used by the Trust?

The Trust uses automated decision making (including profiling) in limited circumstances. For instance, when making an application to work for the Trust, your professional registration information may be required in order to continue with the recruitment process. There is a legal obligation where in specific job roles, the applicant maybe be required to hold a valid professional registration, for example nurses, doctors allied health professional and pharmacists. The consequences of an applicant not supplying their professional registration when required by the recruitment automated system would mean that the applicant would be prevented from completing their job application.

How long does the Trust keep information about you?

Your personal data will be stored the sooner of the period of 6 years or until your 75th birthday after you have left the employment of the Trust. Where you have been involved in a litigation case at the Trust, whether it involves a claim made against you or was an investigation carried out involving you during your employment, this information will be stored for a period of 10 years upon closure of the case. CCTV images across the Trust are kept for 31 days after the day they have been recorded and stored. The criteria used for determining how long your data will be stored is as per the Trust’s “Records Retention & Disposal Policy” which is available on the Grapevine (Intranet). The “Records Retention & Disposal Policy” complies with the “Records Management Code of Practice for Health and Social Care” which is the National recommendations for how long records should be kept by NHS organisations.

What are your rights?

Under the General Data Protection Regulation (GDPR) and The Data Protection Act (DPA), you have a number of rights with regard to your personal data. You have the right to request access to your information that the Trust holds about you which is referred to as a ‘Subject Access Request’ (SAR). For further information please refer to the “Subject Access Requests and Disclosure of Personal Data Procedure” policy which is available on the Grapevine (Intranet). If you have agreed to the processing of your data, you have the right (in certain circumstances) to withdraw your consent at any time by contacting the Trust’s Information Governance Manager or Data Protection Officer. This will not have retrospective effect relating to the information that was processed before your consent was withdrawn. You have the right to lodge a complaint with the Information Commissioners Office (ICO) if you believe that the Trust has not complied with the requirements of the GDPR or with the DPA with regards to your personal data. You can contact the ICO by visiting the ICO website.

It is recommended in the first instance that you contact the Information Governance Department if you have any concerns regarding the treatment of your personal data. Please contact Deepak Jagpal, Information Governance Manager / named individual on the Data Protection Register at or the Data Protection Officer on: 0203 947 0419. The Royal National Orthopaedic Hospital NHS Trust (RNOH) is the data controller and processor of information. Alternatively, you can write to the Information Governance Department at the Royal National Orthopaedic Hospital (RNOH) NHS Trust, Eastgate House 1st Floor, Brockley Hill, Stanmore, Middlesex, HA7 4LP. Any future amendments made to this privacy notice will be available on the Trust’s intranet.

For further information about GDPR please contact:

Data Protection Officer
Tel: 020 3947 0419
Related Documents:Size
Staff Privacy Notice GDPR427.16 KB
How helpful did you find this page?
Not helpful
Very helpful *
Required fields *

*We use this information to make improvements to our website and appreciate any feedback you can offer. Comments are emailed to the Communications Team at RNOH. The personal information collected is only used for email replies (Name and Email) and is stored encrypted in our database for 30 days and then permanently deleted.

Working for the RNOH