For a Better Bolton

How we use and protect your personal information (employees)

This page explains how we use and protect your personal information, under the UK General Data Protection Regulation (UK GDPR).

During the course of employment activities, Bolton NHS Foundation Trust collects stores and processes personal information about prospective, current and former staff.

We are the organisation responsible for processing your data (Bolton NHS Foundation Trust).

This privacy notice includes applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.

What types of personal data do we handle?

In order to carry out our activities and obligations as an employer we handle data in relation to:  

  • Personal demographics (including gender, race, ethnicity, sexual orientation, religion)  
  • Contact details such as names, addresses, telephone numbers and Emergency contact(s)  
  • Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)  
  • Bank details  
  • Pension details  
  • Medical information including physical health or mental condition (occupational health information) 
  • Information relating to health and safety  
  • Trade union membership  
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences  
  • Employment Tribunal applications, complaints, accidents, and incident details 

Our staff is trained to handle your information correctly and protect your confidentiality and privacy.   

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.  Your information is never collected or sold for direct marketing purposes. 

Your information is not processed overseas. 

What is the purpose of processing data?
  • Staff administration and management (including payroll and performance)  
  • HMRC and Pensions administration  
  • Business management and planning  
  • Accounting and Auditing  
  • Accounts and records  
  • Crime prevention and prosecution of offenders  
  • Education  
  • Health administration and services  
  • Information and databank administration  
  • Sharing and matching of personal information for national fraud initiative 

We have a legal basis to process this as part of your contract of employment (either permanent or temporary) or as part of our recruitment processes following data protection and employment legislation.   

Sharing your information

There are a number of reasons why we share information. This can be due to: 

  • Our obligations to comply with legislation 
  • Our duty to comply any Court Orders which may be imposed 

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons. 

Use of Third-Party Companies

To enable effective staff administration Bolton NHS Foundation Trust may share your information with external companies to process your data on our behalf In order to comply with our obligations as an employer. 

Employee Records; Contracts Administration (NHS Business Services Authority)  

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.

Prevention and Detection of Crime and Fraud

We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.

International data transfers

In some limited circumstances, your personal information may be processed or stored outside the UK—for example, where we use an approved specialist system provider whose servers are located overseas. When this happens, we ensure that your information is protected in line with UK GDPR requirements.

We will only transfer your data to countries that have been assessed as having an adequate level of protection, or where appropriate safeguards are in place, such as approved International Data Transfer Agreements (IDTAs), Addendums, or Standard Contractual Clauses. These measures ensure your information continues to be handled securely, lawfully, and with the same level of protection expected within the UK.

We complete a Data Protection Impact Assessment (DPIA) and/or Transfer Risk Assessment (TRA) where required to assess the risks associated with the transfer.

The Trust continues to remain the Data Controller and is responsible for ensuring that any international transfers comply with the relevant legal requirements.

Your rights remain fully protected, even where data is processed outside the UK.

We do not routinely transfer confidential patient information outside the UK unless:

  • it is necessary for your direct care,
  • required by law, or
  • we have put approved safeguards in place.
Individuals rights

Right to be informed

As a member of staff, you have the right to be informed about how the Trust collects, uses, stores, and shares your personal data. Any information we provide about this processing must be:

  • Concise
  • Transparent
  • Intelligible and easily accessible
  • Written in clear and plain language
  • Free of charge

This includes information about HR records, occupational health information, training records, and any other staff related data we process.

Right of access

You can request that we correct personal data we hold about you if it is inaccurate or incomplete.

If your data has been shared with others (for example, payroll, HR systems, or external bodies), we will notify them of the rectification unless this is impossible or involves disproportionate effort.

We will respond within one month, extendable by two months if the request is complex.

If we refuse a rectification request, we will explain why and inform you of your right to complain to the ICO.

Right to erasure (to be forgotten)

As a member of staff, you may request erasure of your personal data in specific circumstances, including: 

  • The data is no longer necessary for the purpose it was collected 
  • You withdraw consent (where consent was the lawful basis) 
  • You object to processing and there is no overriding legitimate interest 
  • The data has been processed unlawfully 
  • Erasure is required by law 

Please note: 

  • The right to erasure is not absolute 
  • It does not apply to employment records we must retain by law 
  • It does not apply to special category data where retention is required (e.g., occupational health records) 

We may refuse a request where the data is processed: 

  • To comply with legal obligations 
  • As part of a public interest task 
  • For archiving, research, or statistical purposes 
  • For the exercise or defence of legal claims (e.g., employment disputes). 

Right to restrict processing 

You can request restriction of your personal data in circumstances such as:

  • You contest the accuracy of the data
  • You have objected to processing and we are considering the request
  • Processing is unlawful and you prefer restriction over deletion
  • We no longer need the data, but you need it for a legal claim

During restriction, your data can be stored but not otherwise used.

We will continue to review procedures to ensure we are able to determine where we may be required to restrict the processing of personal data.

Right to data portability

This right allows you to obtain and reuse your personal data across different services.
It applies only where: 

  • The data was provided by you 
  • Processing is based on consent or contract 
  • Processing is carried out by automated means 

In an employment context, this may be less commonly applicable (e.g., transferring training certification data). 

Right to object 

As a member of staff, you have the right to object to the processing of your personal data when:

  • Processing is based on legitimate interests or a public task
  • Processing involves profiling
  • Your data is used for scientific or statistical research
  • Your data is used for direct marketing (including internal marketing)

For direct marketing, we must stop processing as soon as you object.

Use of artificial intelligence (AI) technology

We may use artificial intelligence (AI) tools to support certain workplace activities, such as improving efficiency, analysing information, or assisting with administrative tasks. Where AI is used, it is applied in a way that supports human decision-making rather than replacing it.

Any personal data processed through AI systems is handled in accordance with data protection legislation and our internal policies, with appropriate safeguards in place to protect confidentiality, accuracy, and security. We do not use AI to make solely automated decisions about staff where this would have a legal or significant effect, unless permitted by law and with appropriate transparency and safeguards.

What are your rights?

If at any point you believe the information we process on you is incorrect, you can request to see this information and have it corrected. 

If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter. 

Data Protection Officer, Bolton NHS Foundation Trust, Minerva Road, Farnworth, Bolton, BL4 0JR Tel: 01204 390 861, 

Email: Information.Governance@boltonft.nhs.uk 

Right to lodge a complaint with a Supervisory Authority 

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO). 

The ICO can be contacted at The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF. 

https://ico.org.uk/ 

We recognise that not everyone will find this document easy to read. We can arrange for large print, audio tape versions and for summaries or explanations in other languages.

Please call 01204 390193 if we can help.

Page last reviewed: