Personal data is any information relating to an identified or identifiable living person (the data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number or factors specific to the physical, genetic or mental identity of that person, for example.
HEE’s role in the NHS
HEE is here to improve the quality of healthcare for the people and patients of England through education, training and lifelong development of staff and appropriate planning of the workforce required to deliver healthcare services in England. HEE aims to enable high quality, effective, compassionate care and to identify the right people with the right skills and the right values. All the information we collect is to support these objectives.
What this privacy statement covers
This privacy statement only covers the processing of personal data by HEE that HEE has obtained from data subjects accessing HEE’s websites and from its provision of services and exercise of functions. It does not cover the processing of data by any sites that can be linked to or from HEE’s websites, so you should always be aware when you are moving to another site and read the privacy statement on that website.
When providing HEE with any of your personal data for the first time, for example, when you take up an appointment with HEE or when you enroll in any HEE sponsored training, you will be asked to confirm that you have read and accepted the terms of this privacy statement. A copy of your acknowledgement will be retained for reference.
Why HEE collects your personal data
Personal data may be collected from you via the recruitment process, your Annual Review of Competence Progression (ARCP) or via HEE’s appraisal process. Personal data may also be obtained from Local Education Providers or employing organisations in connection with the functions of HEE.
Your personal data is collected and processed for the purposes of and in connection with the functions that HEE performs with regard to workforce education and planning. The collection and processing of such data is necessary for the purposes of those functions. A full copy of our notification to the Information Commissioner setting out all of the types of processing that we undertake can be found on the Commissioner’s website. For further information please refer to HEE’s registration number: ZA120843 on the ICO’s website.
In connection with training, HEE collects and uses your personal information for the following purposes:
- To manage your training and programme
- To quality assure training programmes and ensure that standards are maintained
- To identify workforce planning targets
- To maintain patient safety through the management of performance concerns
- To comply with legal and regulatory responsibilities including revalidation
- To contact you about training opportunities, events, surveys and information that may be of interest to you
We also collect and use personal information from you so that we can provide HR related support services and education and training to you, for clinical professional learner recruitment, to promote our services, to monitor our own accounts and records, to monitor our work, to report on progress made, and to let us fulfil our statutory obligations and statutory returns as set by the Department of Health and the law (for example complying with HEE’s legal obligations and regulatory responsibilities under employment law).
Further information about our use of your personal data in connection with training can be found in the ‘Reference Guide for Postgraduate Specialty Training in the UK’, also known as the ‘Gold Guide’.
Collection and use of data from website users
When you access HEE’s website, small amounts of information are sometimes placed on your device, including small files known as cookies. These pieces of information are used to improve services for you. For example, we use a series of cookies to monitor website speed and usage, as well as to ensure that any preferences you have selected previously are the same when you return to our website.
Google Analytics for example stores information about what pages you visit, how long you are on the site, how you got here and what you click on. Personal information (e.g. your name or address) is not however collected or stored so this information cannot be used to identify who you are. We do not allow Google to use or share our analytics data.
Full details on the cookies set by Google Analytics are published on the Google website. Google also publishes a browser add-on to allow you to choose that information about your website visit is not sent to Google Analytics.
On a number of pages we use ‘plug ins’ or embedded media. For example, we might embed YouTube videos in pages. The suppliers of these services may also set cookies on your device when you visit the pages where we have used this type of content. These are known as ‘third-party’ cookies. To opt-out of third-parties collecting any data regarding your interaction on our website, please refer to their websites for further information.
HEE as data controller
HEE is the data controller in respect of any personal data it holds concerning trainees in training, individuals employed by HEE and individuals accessing HEE’s website.
Legal basis for processing
The GDPR requires that data controllers and organisations that process personal data demonstrate compliance with its provisions. This involves publishing our basis for lawful processing.
As personal data is processed for the purposes of HEE’s statutory functions, HEE’s legal bases for the processing of personal data as listed in Article 6 of the GDPR are as follows:
- 6(1)(a) – Consent of the data subject
- 6(1)(b) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- 6(1)(c) – Processing is necessary for compliance with a legal obligation
- 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Where HEE processes special categories of personal data, its additional legal bases for processing such data as listed in Article 9 of the GDPR are as follows:
- 9(2)(a) – Explicit consent of the data subject
- 9(2)(b) – Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- 9(2)(f) – Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
- 9(2)(g) – Processing is necessary for reasons of substantial public interest
- 9(2)(h) – Processing is necessary for the purposes of occupational medicine, for the assessment of the working capacity of the employee, or the management of health and social care systems and services
- 9(2)(j) – Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Special categories of personal data include data relating to racial or ethnic origin, political opinions, religious beliefs, sexual orientation and data concerning health.
Please note that not all of the above legal bases will apply for each type of processing activity that HEE may undertake. However, when processing any personal data for any particular purpose, one or more of the above legal bases will apply.
We may seek your consent for some processing activities, for example for sending out invitations to you to training events and sending out material from other government agencies. If you do not give consent for us to use your data for these purposes, we will not use your data for these purposes, but your data may still be retained by us and used by us for other processing activities based on the above lawful conditions for processing.
Information that we may need to send you
We may occasionally have to send you information from HEE, the Department of Health, other public authorities and government agencies about matters of policy where those policy issues impact on education, training, workforce planning or other matters related to HEE. This is because HEE is required by statute to exercise functions of the Secretary of State in respect of education, training and workforce planning. If you prefer, you can opt out of receiving information about general matters of policy impacting on education, training and workforce planning by contacting your Local Office recruitment lead. The relevant Local Office will provide you with further advice and guidance regarding any consequences of your request.
HEE will not send you generic information from other public authorities and government agencies on issues of government policy.
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Your data may only be transferred abroad where HEE is assured that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection.
How we protect your personal data
Our processing of all personal data complies with the General Data Protection Regulation principles in line with Health Education England’s data protection registration held with the Information Commissioners Office.
The personal data we hold may be held as an electronic record on data systems managed by HEE or as a paper record. These records are only accessed, seen and used as required and/or permitted by law by staff who need access to personal data so they can do their jobs and other partner organisations under data sharing agreements.
The security of the data is assured through the implementation of HEE’s policies on information governance management.
We make every effort to keep your personal information accurate and up to date, but in some cases we are reliant on you as the data subject to notify us of any necessary changes to your personal data. If you tell us of any changes in your circumstances, we can update the records with personal data you choose to share with us.
We will keep personal data for no longer than necessary, in line with our records management policy, and the NHS records retention schedule within the NHS records management code of practice.
Sharing personal data
So we can provide the right services at the right level, we may share your personal data within services across HEE and with other third party organisations such as the Department of Health, Higher Education Institutions, NHS Trusts, clinical placement providers, colleges, faculties, other HEE local offices, the GMC, NHS Trusts/Health Boards/Health and Social Care Trusts, approved academic researchers and other NHS and government agencies where necessary, to provide the best possible training and education and to ensure that we discharge HEEs responsibilities for employment and workforce planning for the NHS. This will be on a legitimate need to know basis only.
We may also share information, where necessary, to prevent, detect or assist in the investigation of fraud or criminal activity, to assist in the administration of justice, for the purposes of seeking legal advice or exercising or defending legal rights or as otherwise required by the law.
Where the data is used for analysis and publication by a recipient or third party, any publication will be on an anonymous basis, and will not make it possible to identify any individual. This will mean that the data ceases to become personal data.
HEE policy is to observe the Cabinet Office transparency and accountability commitments towards more open use of public data in line with relevant and applicable UK and European legislation. HEE would never share personal data through the Open Data facility. To this end, HEE will implement Information Governance protocols that reflect Information Commissioner’s Office recommended best practice for record anonymisation, and Office of National Statistics guidance on publication of statistical information.
Right to rectification and erasure
The GDPR extends and strengthens your rights as a data subject. Under the GDPR you have the right to rectification of inaccurate personal data and the right to request the erasure of your personal data. However, the right to erasure is not an absolute right and it may be that it is necessary for HEE to continue to process your personal data for a number of lawful and legitimate reasons.
Right to object
You have the right in certain circumstances to ask HEE to stop processing your personal data in relation to any HEE service. As set out above, you can decide that you do not wish to receive information from HEE about matters of policy affecting education, training and workforce. However, the right to object is not an absolute right and it may be that it is necessary in certain circumstances for HEE to continue to process your personal data for a number of lawful and legitimate reasons.
If you object to the way in which HEE is processing your personal information or if you wish to ask HEE to stop processing your personal data, please contact your relevant Local Office. However, if we do stop processing personal data about you, this may prevent HEE from providing the best possible service to you.
You can access a copy of the information HEE holds about you by writing to HEE's Public and Parliamentary Accountability Team. This information is generally available to you free of charge subject to the receipt of appropriate identification.
The GDPR sets out the right for a data subject to have their personal data ported from one controller to another on request in certain circumstances. You should discuss any request for this with your local office.
If you want to complain about how we have used your personal data or to know more about how your information will be used, please contact your relevant Local Office. Alternatively, HEE’s Data Protection Officer is Mr Christopher Brady.
Alternatively, you can also contact the Information Commissioner if you have a complaint about our processing of your personal data:
The Office of the Information Commissioner
It is important that you work with us to ensure that the information we hold about you is accurate and up to date so please inform HEE if any of your personal data needs to be updated or corrected.
All communications from HEE will normally be by email. It is therefore essential for you to maintain an effective and secure email address or you may not receive information or other important news and information about your employment or training.