Privacy - ESR Hub


Privacy Policy

NHS Electronic Staff Record (ESR) privacy notice

The NHS Business Services Authority (NHSBSA) manages the contract and service delivery of the Electronic Staff Record (ESR). Your employing organisation is responsible for maintaining any personal data collected from you, or about you and used in ESR. The NHSBSA and their employees are responsible as joint controllers for processing your data. We will respect the information we hold about you by ensuring it has appropriate safeguards in place to protect it.

The Department of Health and Social Care (DHSC), as data controller, is responsible for the processing of your personal data for the purposes of workforce planning, equality and diversity monitoring, protecting the health of key workers, research, and to prevent, detect, and investigate fraud.

Why we process your information

NHSBSA and your employer will use your information to administer and maintain your employee record, and for payroll and workforce purposes.

Sharing your personal information

NHSBSA and your employer may share your information for employment purposes with:

  • NHS Pensions - to administer and pay pension benefits
  • HM Revenue and Customs - for benefits and tax administration
  • BACS - to make payments to employees
  • The Cabinet Office - to prevent, detect, and investigate fraud
  • The Department of Health and Social Care: Advisory Committee on Clinical Excellence Awards (ACCEA) - to manage and monitor the payment of Clinical Excellence Awards
  • Disclosure and Barring Service (DBS) - to safeguard vulnerable groups
  • Local Education Training Boards (LETBs) - to manage Doctors in Training
  • NHS Digital and the Care Identity Service (CIS) - to update employee records in the Care Identity Service
  • Local systems running at your employing organisation or their service providers - to secure the effective and efficient delivery of NHS and related services
  • Other NHS employing organisations who use ESR that you may apply to work for - to transfer your employment record to your new employing organisation
  • NHS Counter Fraud Authority as part of a specific investigation
  • Other organisations that have a legal right to it.

Any personal data that we share for the purposes listed above is encrypted while being transferred.

DHSC may share your information with other organisations, such as universities, for the purposes of workforce planning, equality and diversity monitoring, protecting the health of key workers, and research.  This data sharing will only be done where it is in the public interest, allowed by data protection law and keeps your information safe. DHSC will only share the information necessary for the research study.

The research organisation will:

  • only identify you where it is necessary to link ESR data with data from other sources.
  • remove any information that identifies you after the data has been linked.
  • securely delete the information when the research study ends.

DHSC may share your information with National and regional NHS bodies where it is needed for them to carry out their official duties, such as workforce planning, NHS policy development, to prevent, detect, and investigate fraud, and to produce official statistics. These include: 

  • Care Quality Commission
  • IBM ESR Data Warehouse Team
  • NHS Business Services Authority (ESR Central Team, Data Analytics Learning Lab)
  • NHS Employers 
  • NHS England (including E-learning for Healthcare)
  • NHS Wales (including NHS Wales Shared Services Partnership and Health Education and Improvement Wales)
  • NHS Counterfraud Authority

Keeping your personal information

Your employing organisation can view your data during, and after, your employment with them.

NHSBSA will delete or anonymise your personal data when your employer authorises this.

We'll keep your information secure, accurate and up to date. We will only keep it for as long as we need it for the purposes it was provided, and the use it was intended.

Your personal data will not be processed, held or transferred outside of the UK or  European Economic Area.

Your rights

The personal data you provide will be managed as required by Data Protection law.
You have the right to request:

  • a copy of the personal data ESR holds about you from your employer,
  • your employer changes any personal data you believe is not correct at the time you provided it.
  • your employer delete your personal data if you believe they are keeping it for longer than necessary

The NHS Electronic Staff Record Programme is delivered in partnership with IBM UK Ltd.

© NHS Electronic Staff Record 2022