Privacy Notice – Employment Records

During the course of its employment activities, West Midlands Ambulance Service (WMAS) collects, stores and processes personal information about prospective, current and former staff.

This Privacy Notice includes applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.

What types of personal data do we handle?

In order to carry out our activities and obligations as an employer we handle data in relation to:

  • Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
  • Contact details such as names, addresses, telephone numbers and Emergency contact(s)
  • Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
  • Bank details
  • Pension details
  • Medical information including physical health or mental condition (occupational health information)
  • Information relating to health and safety
  • Trade union membership
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences
  • Employment Tribunal applications, complaints, accidents, and incident details

Our staff are trained to handle your information correctly and protect your confidentiality and privacy.

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.  Your information is never collected or sold for direct marketing purposes.

COVID – 19

The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak.

Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.

COVID–19 Testing

In such circumstances where you tell us you’re experiencing COVID-19 symptoms, we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

Data may be shared with laboratories both government run and increasingly in the private sector under the guidance of PHE. This data is limited to that which is required to ensure test results can be communicated back to the individual. Normally this will be a phone number, home address and email address linked to a named individual with date of birth and where available NHS number.

COVID-19 Test and Trace Service

Due to the COVID-19 outbreak the Trust was asked to establish a Test and Trace cell to support the Public Health England (PHE) Tier 1 contact tracing level (referred to as complex cases) of the service through the implementation of a local contact tracing policy of their employees when a staff member* is confirmed as COVID-19 positive.

*This caveat also includes CFRs, Volunteers, Contractors and Patients which the Trust has provided care to as an emergency service.

Positive cases may be identified internally or passed to the Trust via secure email from Public Health England. The Trust needs to accurately record details of confirmed or suspected COVID-19 cases and staff who may have been exposed to COVID-19 through contact with those individuals.

Information will be held and retained in line with the Records Management Code of Practice for Health and Social Care 2016.

*In the event of a declared outbreak by Public Health England this data will be held for an indefinite period and until all investigations are completed.

The information (data collection) recorded is kept to a minimum, with associated role-based access controls in place.

This includes the following personal data:
  1. Operating unit or department
  2. Full name and address
  3. Date of birth
  4. Payroll number
  5. Preferred contact number
  6. Preferred email address
  7. NHS number
  8. CAD Reference (where applicable)
  9. COVID-19 test location, date and results (where required)
  10. Additional notes

The information is hosted within WMAS secure systems. Access to records is recorded, ensuring a log of who has viewed records can be pulled.

There are defined role-based access controls in place. These roles are assigned by the COVID-19 Management Team who will ensure that only those individuals who require access to data are assigned. There is also a process in place to ensure the closure of system access when required. The system allows records to be altered by authorised personnel with validations in place to ensure correct information is entered where possible.

GDPR Legal Basis

Article 6 (1) (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law

Article 9 (2) (h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems

 What is the purpose of processing data?
  • Staff administration and management (including payroll and performance)
  • Pensions administration
  • Business management and planning
  • Accounting and Auditing
  • Accounts and records
  • Crime prevention and prosecution of offenders
  • Education
  • Health administration and services
  • Information and databank administration
  • Sharing and matching of personal information for national fraud initiative

We have a legal basis to process this as part of your contract of employment (either permanent or temporary) or as part of our recruitment processes following data protection and employment legislation.

Sharing your information

There are a number of reasons why we share information. This can be due to:

  • Our obligations to comply with legislation
  • Our duty to comply any Court Orders which may be imposed

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.

Use of Third Party Companies

To enable effective staff administration WMAS may share your information with external companies to process your data on our behalf In order to comply with our obligations as an employer.

Employee Records; Contracts Administration (NHS Business Services Authority)

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.

 Prevention and Detection of Crime and Fraud

We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.

Individuals Rights

Data Protection laws gives individuals rights in respect of the personal information that we hold about you.  These are:

  1. To be informed why, where and how we use your information.
  2. To ask for access to your information.
  3. To ask for your information to be corrected if it is inaccurate or incomplete.
  4. To ask for your information to be deleted or removed where there is no need for us to continue processing it.
  5. To ask us to restrict the use of your information.
  6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
  7. To object to how your information is used.
  8. To challenge any decisions made without human intervention (automated decision making)

Should you have any further queries on the uses of your information, please speak to the Human Resources Department or contact the Trust’s Data Protection Officer – Chris Kerr at or telephone 01384 215555.

Should you wish to lodge a complaint about the use of your information, please contact our Human Resources Department via or telephone 01384 215555.

If you are still unhappy with the outcome of your enquiry you can contact the Information Commissioner’s Office at