Click here to find information regarding the MCHFT Staff App.

How we use your data

Mid Cheshire Hospitals NHS Foundation Trust is registered as a data controller with the Information Commissioner’s Office (ICO) for the purposes of the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) and is committed to ensure that it collects, stores and processes personal information about prospective, current and former staff safely and legally. 

Who does this notice apply to?

This notice applies to all current, past or prospective staff including agency, casual and contracted staff, volunteers, trainees and those carrying out work experience from recruitment to employment and beyond.

What information is provided by you?

When you apply for a position within the Trust you will provide us with relevant information about you including:

  • Name and contact details
  • Employment history
  • Qualifications
  • Referee/reference details

During the recruitment and selection processes we will begin to add further information including:

  • Copies of qualifications and certificates
  • Pre-employment checks, including references, identity documents, right to work check information and vaccination records.
  • Publicly available information such as social media presence
  • Selection information including correspondence, interview notes, results of any selection tests that you may be undertake
  • Vaccination and immunisation data

Following your appointment, we may add any other information you supply to us or is required as part of your employment such as revalidation information.


What information do we get from other sources?

Information may be provided about you from a number of sources during your recruitment and on-going employment with the Trust including:

  • Disclosure and Barring Service disclosures, where applicable, which will tell the organisation about any criminal convictions you may have
  • Referees providing confidential information about your suitability to the role
  • Inter Authority Transfer (IAT) – Information held by your previous NHS employer
  • Information from HM Revenue and Customs (HMRC) relating to your pay and employment
  • Information about your right to work and visa applications
  • Pension Information when transferring within the NHS
  • Information from your manager and HR team relating to your performance, sickness absence and other work related matters
  • Confirmation of your registration with a professional body
  • Data relating to your vaccination status such as that related to Covid.

What types of personal data do we hold?

Personal data

The Trust will hold personal data about you for example: Name, address, telephone number, staff number, gender, NI Number, next of kin/emergency contact details, professional membership information, reference information and bank details.

Sensitive personal data (special categories)

The Trust will also hold sensitive personal data including racial or ethnic origin, religious beliefs, trade union membership, health (including occupational health and vaccination status data where applicable), sexual orientation, criminal convictions and disabilities.

NHS COVID-19 Digital Staff Passport

During the current COVID-19 health emergency, various plans and projects are being implemented to help the NHS meet the unprecedented challenges and provide the best possible care to our patients. One of those challenges is ensuring that our clinical staff members are able to work where they are needed most and where their skills can be best utilised, and to reduce the administrative delays in making this happen. To enable this, staff who volunteer to participate in the scheme will be provided with a digital passport – the COVID-19 Digital Staff Passport – which summarises their clinical attributes, is verified by their current employer, and will allow them to begin working in another NHS location as quickly as possible. Staff who volunteer in the scheme will provide their consent for their data to be processed. Further information on how data is used in this process can be found at or by contacting the Data Protection Officer.

How do we access and secure your personal data?

The Trust will use your information to administrate your employment and associated functions, personal data will be shared between relevant colleagues who legitimately need the information to carry out their duties e.g. your line manager and HR teams.

The Trust maintains electronic and paper records relating to your recruitment and employment, with information held by the HR team and locally with your line manager.

All paper files are kept in secure locked cabinets/cupboards and only relevant staff will have access to this information. Electronic information will be held securely on the Trust systems on only accessed on a need to know basis.

How do we use staff data?

The Trust uses staff data for all purposes associated with the administration of the employer/employee relationship and to meet our legal obligations. The purposes for which we may use staff data (including sensitive personal information) include:

  • Process your recruitment application and correspond with you in relation to Trust vacancies
  • Maintaining staff records
  • Recruitment and selection
  • Managing Human Resource employment matters (e.g. promotion, training and development, conduct, attendance, appraisals, management progress, grievances, misconduct investigations, disciplinary actions and complaints)
  • Administering finance (e.g. salary, pension and staff benefits)
  • Complying with visa requirements
  • Providing facilities such as IT/system access, library services and car parking
  • Monitoring equal opportunities
  • Preventing and detecting crime, such as using CCTV and using photo’s on ID badges
  • Providing communication about the Trust, news and events
  • Maintaining contact with past employees
  • Provision of wellbeing and support services
  • Compliance with legal obligations such as making external/statutory returns to NHS England, sharing information with HMRC and ensuring medicated vaccination status is maintained. 
  • Carrying out research, surveys and statistical analysis (including using third party data processors to carry out the national staff survey)
  • To enrol you as a Foundation Trust member
  • Carrying out audits
  • To issue text message reminders of trust appointments i.e. Occupational Health appointments or training reminders
  • Meeting recording using MS Teams (please note that where meetings are being recorded an 'information banner' will be displayed on MS Teams) the meeting chair may also verbally inform the attendees.

The Trust processes sensitive personal data for a number of administrative purposes:

  • Equal opportunities monitoring
  • Managing Human Resources processes such as administering sick pay and sick leave, managing absence, administrating Maternity Leave and associated pay schemes
  • Managing a safe environment and ensuring fitness to work
  • Managing obligations under Equal Opportunities Legislation
  • Provision of Occupational Health and Wellbeing service to individuals including that related to your Covid and Flu vaccination status. 
  • Payment of trade union membership fees

How do we share your data with third parties?

The Trust may disclose personal and sensitive information with a variety of recipients including:

  • Our employees, agents and contractors where there is a legitimate reason for them receiving the information
  • Current, past or potential employers of our staff to provide or obtain references
  • Professional and regulatory bodies (e.g. Nursing and Midwifery Council (NMC), Health and Care Professions Council (HCPC), General Medical Council (GMC)) in relation to the confirmation of conduct including complaints, job description and information provided as part of the recruitment process.
  • Government departments and agencies where we have a statutory obligation to provide information (e.g. HMCR, NHS Digital, Department of Health and the Home Office)
  • The Disclosure and Barring Service (DBS) and DBS Update Service where we require a DBS check for certain roles
  • Third parties who work with us to provide staff support services (e.g. counselling)
  • Crime prevention or detection agencies (e.g. the police, security organisations, department for works and pensions and local authorities)
  • Internal and external auditors
  • Debt collection and tracing agencies
  • Courts and tribunals
  • Trade union and staff associations
  • Survey organisations for example for the annual staff survey

All disclosures of personal data are considered on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with where there is a "legal basis" for doing so or where you have consented to the disclosure of your personal data to such persons.

Sharing information with the NHS business service authority 

The Trust also shares employee records information with: NHS Business Services Authority.

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.

On commencement of employment with the organisation, your personal data will be uploaded into the ESR system. ESR is a workforce solution for the NHS which is used by the organisation to effectively manage the workforce leading to improved efficiency.

In accepting employment with the organisation, you accept that the following personal data will be transferred in accordance with streamlining staff movement principles, if you accept an offer with another NHS organisation, or your employment transfers or is seconded to another NHS organisation the following information will be shared:

  • Personal data e.g. name, DOB, address, NI Number, to enable the new NHS employer to verify who you are
  • Employment Information e.g. your position, salary, grade, employment dates, dates of any sickness (excluding absence reasons), to enable you to be paid correctly and the new employer to calculate appropriate NHS entitlements for annual leave and sickness
  • Training compliance / competency dates, to reduce the need to repeat nationally recognised training and statutory and mandatory training

This information will be shared via the Inter Authority Transfer (IAT) which is the secure process where information is transferred from one NHS employer to another.

How is your information kept up to date?

You are responsible for promptly notifying the Trust about and changes in your information such as a change of address, telephone number or name.

The Trust will take all available steps to ensure that information about you is kept up to date. 

How long is your information kept for?

The Trust will retain your records no longer than is necessary in line with its obligations under data protection law. 

A schedule of how long your data will be retained for is available here.

What legal basis is used for processing my information?

The Trust will only ever process your personal information where it is able to do so by law and using one of a number of legal basis available under the Data Protection Act 2018 and General Data Protection Regulation  (GDPR).

The legal basis we use most often as follows:

  • Performance of a contract – applies where we are required to process your information in order to facilitate your contract of employment. 
  • Legal Obligations – In many cases we have a legal obligation to hold and process information about you for example informing HMRC of the tax and National Insurance Contributions you have made and ensuring the safety and care of our patients and staff. 
  • Legitimate Interests – In some cases for example sharing data between NHS organisations via IAT the Trust will rely of legitimate interests of the business function. 

Where we process special category data about you (i.e. racial or ethnic origin, religious beliefs, trade union membership, health, sexual orientation, criminal convictions and disabilities) we will ensure this is done so using the following one of the following legal basis:

  • Employment Rights – Carrying out obligations and specific rights required by us as an organisation for the purposes of employment (e.g. monitoring the equality and diversity of our workforce or DBS checking) 
  • Preventative or Occupational Medicine – assessing the working capacity of our employees including the processing of vaccination and immunisation data.

What are my individual rights?

You have certain rights with respect to the data held about you by the Trust. These are:

  1. To be informed why, where and how we use your information – this is fulfilled by this privacy notice however any please contact if you have any questions regarding this. 
  2. To ask for access to your information (commonly known as subject access) – please direct any subject access requests to
  3. To ask for your information to be corrected if it is inaccurate or incomplete – please direct any requests under this process to 
  4. To ask for your information to be deleted or removed where there is no need for us to continue processing it – please direct any requests under this process to
  5. To ask us to restrict the use of your information – please direct any requests under this process to
  6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information – please direct any requests under this process to
  7. To object to how your information is used – please direct any requests under this process to
  8. To challenge any decisions made without human intervention (automated decision making) – please direct any requests under this process to

Further information

  • Questions regarding the use of your information should be directed to your line manger in the first instance.
  • HR questions should be directed to or 01270 273712 (Internal Extension 3712)
  • Questions regarding occupational health data should be directed to
  • General questions about this notice should be emailed to

Should you wish to lodge a complaint about the use of your information, please contact the Trust’s Data Protection Officer at or Information Governance, Mid Cheshire Hospitals NHS Foundation Trust, Infinity House, Mallard Way, Crewe CW1 6ZQ

If you remain dissatisfied following the response form the Data Protection Officer you have the right to contact the lodge a complaint with the Information Commissioner whose contact details can be found at

MCHFT Staff App

  • In order to provide you with the MCHFT Staff App and associated services, staff will download the app from the Google Play or Apple Store using their existing accounts.  The App provider collects data on the download and use of the app, however personal information is not identifiable to the provider. 
  • The App Provider (Chapelcroft Limited) uses Microsoft Azure to deliver the App to you and will process data about downloads and usage, however individual personal information is not identifiable to the provider .
  • The Trust will, from time to time, run its own internal promotions and offers through the app where staff are required to enter personal information into the Trust’s own forms to participate, this data is not shared externally.