Skip to content
left end
left end
right end


As an employer, the Trust needs to keep and process information about you for normal employment purposes. The information we hold and process will be used for our management and administrative use. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, whilst you are working for us, at the time when your employment ends and after you have left. This includes using information to enable us to comply with the employment contract, to comply with any legal requirements, pursue the legitimate interests of the Trust and protect our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.

Much of the information we hold will have been provided by you, but some may come from other internal sources, such as your manager or people you work with, or in some cases, external sources, such as referees, a Trades Union, or a professional organisation such as the British Medical Association, or one of the medical Royal Colleges.

The sort of information we hold includes your application form and references, your contract of employment and any amendments to it; correspondence with or about you, for example letters to you about a pay rise or, at your request, a letter to your mortgage company confirming your salary; information needed for payroll, benefits and expenses purposes; your hours worked, contact and emergency contact details; records of holiday, sickness and other absence; information needed for equal opportunities monitoring policy; and records relating to your career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records.

For the purposes of security, network and application integrity, and ensuring the effective management of IT many applications will maintain logs of usage which may identify users either directly or indirectly. All internet usage is logged and internet and email traffic is monitored as detailed in our policies available in the staff handbook or on the intranet. This data may be analysed on an aggregate basis without identifying individuals for diagnostic, utilisation and planning requirements. Use of the data in a way which identifies individuals will only be authorised where this is necessary for legitimate purposes and in accordance with policies and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.

You will, of course, inevitably be referred to in many Trust documents and records that are produced by you and your colleagues in the course of carrying out your duties and the business of the Trust.

Your contact details will be made available to the Trust Membership Office as employees are automatically invited to become Members of the Trust. You may opt-out of membership if you wish in accordance with Article 9 of the Trust Constitution. If you wish to opt out please contact the membership office via email or call 0117 34 23764. By law we are required to make a register of our membership available to the public on request. This register shows the member's name and their membership type, but not their address or any other personal details. If you wish to be taken off the public register, please get in touch with the membership office.

Where necessary, we may keep information relating to your health, which could include reasons for absence, certificates and GP reports and notes. This information will be used in order to comply with our statutory health and safety and occupational health obligations - to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and Trust sick pay. Occupational health records will be kept separate and confidential from other employee records - see Occupational Health

Where we process special categories of information relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, biometric data or sexual orientation, we will always obtain your explicit consent to those activities unless the processing is necessary for the purpose of the employment contract or required by law or the information is required to protect your health in an emergency. We will tell you whether providing the information is optional or mandatory.

In particular some staff, including staff in Hotel Services, will be required to provide biometric fingerprint data (but not a fingerprint as such) for clocking purposes. This is used in managing rostering, time and attendance records, absences, skills management and related functions.

In most cases we will be processing your data because it is necessary for the purpose of the employment contract or required by law but where we are processing data based on your consent, you have the right to withdraw that consent at any time. Occasionally we will process staff data as we have a legitimate interest in doing so - for example in relation to running the Recognising Success Awards.  

Other than as mentioned below, we will only disclose information about you to third parties with your consent, if we are legally obliged to do so, or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to a pension scheme.

In particular information may be disclosed to:

  • Suppliers contractors partners and other organisations in the normal course of your employment activities - for example your contact details will be shared with anyone you correspond with, relevant personal details may be shared as part of a due diligence process where the Trust is entering into a contract or research partnership. You will normally be aware of this as part of your work. If it is something you would not reasonably expect we will let you know before doing so.
  • Training providers. Where the Trust commissions training on your behalf from an external supplier the Trust will share necessary information about you with the provider for the management co-ordination and quality control of that training
  • HM Revenue and Customs for the administration of tax and national insurance
  • professional registration organisations - e.g. in respect of fitness to practice hearings
  • NHS Pensions if you are a member of the scheme
  • banks & insurance companies. at your request - e.g. to confirm employment details in respect of loan/mortgage applications/guarantees
  • the Department of Work and Pensions e.g. in relation to benefits enquiries
  • the Child Support Agency
  • the Disclosure and Barring Service
  • the Student Loans Company
  • the Home Office Visa & Immigration Service
  • the National Clinical Assessment Service where a request is made to issue a Healthcare Professional Alert Notice as under the Healthcare Professional Alert Notices Directions 2006
  • the public under the Freedom of Information Act where this does not breach the data protection principles e.g. requested names or contact details of senior managers or doctors or those in public-facing roles

National Fraud Initiative (NFI)

The Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud as part of its responsibility for public sector efficiency and reform. Part 6 of the Local Audit and Accountability Act 2014 enables the Cabinet Office to process data as part of the NFI.

The Trust is a mandatory participant of the NFI which is a data matching exercise undertaken by the Cabinet Office to assist in the prevention and detection of fraud. We are required to provide particular our payroll data to the Cabinet Office for each exercise.

Data matching involves comparing sets of data, such as payroll of a body against other records held by the same or another body to see how far they match. This is usually personal information and Trust creditors' data. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

 The Trust's legal basis to process this data is set out in Article 6 (c) of the General Data Protection Regulation (GDPR) "processing is necessary for compliance with a legal obligation to which the controller is subject;"

For further information see the Cabinet Office Privacy Notice.

For further information on data matching at University Hospitals Bristol NHS Foundation Trust contact Elias Hayes, Local Counter Fraud Specialist on 01173 420828 or

The Trust may use data processors to hold information in files e.g. archive storage companies.

We will not normally transfer your information outside of the EEA or to an international organisation but may do so with your explicit consent e.g. where a doctor is participating in a multi-national research project.

We have in place appropriate safeguards to ensure the security of your data in accordance with the Trust's Information Security Policy.

Your personal data will be kept up to date and accurate during your employment and will be retained for a minimum for a period of TBC years after the end of your employment.

If in the future we intend to process your personal data for a new purpose we will provide you with information on that purpose and any other relevant information.

Please also see information regarding Your Rights. Some of these will be of limited application, particularly during the period you remain employed. For example we would not delete records we need to comply with our statutory and contractual duties.