Privacy - ESR Hub

Privacy Policy

NHS Electronic Staff Record (ESR) privacy notice

The NHS Business Services Authority (NHSBSA) manages the contract and service delivery of the Electronic Staff Record (ESR). Your employing organisation is responsible for maintaining any personal data collected from you, or about you and used in ESR. The NHSBSA and their employees are responsible as joint controllers for processing your data. We will respect the information we hold about you by ensuring it has appropriate safeguards in place to protect it.

Why we process your information

We'll use your information to administer and maintain your employee record, and for payroll and workforce purposes.

Sharing your personal information

We may share your information with:

Any personal data that we share for the purposes listed above is encrypted while being transferred.

Keeping your personal information

Your employing organisation can view your data during, and after, your employment with them.

We'll delete or anonymise your personal data when your employer authorises this.

We'll keep your information secure, accurate and up to date. We will only keep it for as long as we need it for the purposes it was provided, and the use it was intended.

Your personal data will not be processed, held or transferred outside of the European Economic Area.

Your rights

The personal data you provide will be managed as required by Data Protection law.

You have the right to request:

  • a copy of the personal data ESR holds about you from your employer,
  • your employer changes any personal data you believe is not correct at the time you provided it.


From 25 May 2018, you have the right to request your employer to delete your personal data if you believe they are keeping it for longer than necessary.

The NHS Electronic Staff Record Programme is delivered in partnership with IBM UK Ltd.

© NHS Electronic Staff Record 2018