Privacy and cookies
Last Updated: 1st April 2023
NHS England merger with Health Education England and NHS Digital
For data protection purposes, from 1 April 2023 NHS England will become the controller responsible for the processing of personal data for activities performed by Health Education England prior to this date. As part of this merger the organisation will be undergoing a transitionary process, to provide information on how the new NHS England is processing personal data.
Who we are and what we do
NHS Health Careers is the information service about the range of 350 or so careers available in health in England. We are part of Health Education England and our aim is to support people in education and at all stages of their career to discover more about the health roles that are available.
The NHS Health Careers team works from various locations across England and we:
Information we hold about you
In view of our role, we may hold information (personal data) about people who visit our website, and the linked Step into the NHS website, register with us to receive information (including as part of the We are the NHS campaign), contact us, or provide us with information through attendance at events etc.
Policy on how we use your information
This policy explains how we, as part of NHS England, (referred to as 'we', ‘our’ or ‘us’ below) uses any personal data we collect from you or which you give to us and the ways in which we protect your privacy. Protecting the privacy and personal data of our users is of the utmost importance to us. This policy is provided in accordance with the General Data Protection Regulation and the Data Protection Act 2018 (current data protection laws in England).
The data controller in respect of personal data we hold about you is NHS England.
Our data protection officer is Andrew Todd [email protected]
Please note that NHS England has a separate privacy notice detailing how it uses personal data in view of its statutory functions. This privacy notice is specific and limited to the use of data by NHS Health Careers, including the Step into the NHS website and We are the NHS campaign.
By visiting our website healthcareers.nhs.uk or stepintothenhs.nhs.uk (referred to as “this site” in this notice) you are accepting and consenting to the practices described in this policy.
Information we may collect about you and sources of data
We may collect and process the following data about you:
How we use your information
We use information held about you in the following ways:
Disclosure of your information
We will not share your personal data with third parties for commercial purposes.
We may share your information with selected third parties including:
Some of these third parties are data processors acting on our behalf under contract, such as website developers, contact centre and marketing agencies, distribution centres for literature and marketing materials, and IT processors such as Google Analytics.
We may disclose your personal information to third parties:
Lawful bases for processing
Where we process personal data for the above purposes, our legal basis for doing so under the General Data Protection Regulation is:
Article 6(1)(a) – you have given consent to the processing of your personal data for one or more specific purposes; or
Article 6(1)(b) – processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract; or
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.
Where we process special categories of personal data for these purposes, the legal basis for doing so is:
Article 9(2)(a) - you have given explicit consent to the processing of your personal data for one or more specific purposes; or
Article 9(2)(f) - processing is necessary for the establishment, exercise or defence of legal claims; or
Article 9(2)(g) – processing is necessary for reasons of substantial public interest.
Where we store your personal data
Should you subscribe to receive emails from us through our website, your data eg your name and email address will not be transferred to, or stored at, locations outside the European Economic Area.
All information we hold is stored on secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of this site, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee complete security of your data transmitted to this site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Retention periods – how long we keep your information for
Subject to any requests we may receive from you for your data to be erased and subject to your data having to be retained for longer to enable us to fulfil any of the purposes for processing your data listed above, data that you provide to us or that is collected about you is held by us for two years from your last contact or engagagement with us or from your last access of the data.
This privacy statement applies to this site only and our linked website for Step into the NHS. It does not cover links within this site to other websites. If you follow a link to any third party websites, please note that these websites may have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to such websites.
Your rights as a data subject
The General Data Protection Regulation includes a number of rights that are more extensive than those in the Data Protection Act 1998. We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this.
The availability of some of these rights depends on the lawful basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below.
Right to be informed
Your right to be informed is met in the main by the provision of this privacy notice. We may also provide you with certain information about our use of your data when we communicate with you directly.
Right of access
You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR, although there are exceptions to what we are obliged to disclose.
Right to rectification
You have the right to ask us to rectify any inaccurate data that we hold about you. You can do this contacting us by contacting us.
Right to erasure (‘right to be forgotten’)
You have the right to request that we erase personal data about you that we hold. If you believe we have information about you, you can contact us to find out.
The right to erasure is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.
Right to restriction of processing
You have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data.
Right to data portability
This right is only available where the legal basis for processing under the General Data Protection Regulation is consent, or for the purposes of a contract between you and us. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format so that you can transfer the data elsewhere.
Right to object
You have the right to object to processing of personal data about you in certain circumstances. The right is not absolute and we may continue to process the data if we can demonstrate compelling legitimate grounds to do so.
Rights in relation to automated individual decision-making including profiling
You have the right to object to being subject to a decision based solely on automated processing, including profiling. We do not currently have any automated decision-making processes, but in future should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.
Rights in relation to direct marketing
We will only use your data for marketing purposes if you have subscribed to receive certain information or opted to receive marketing material. You can do this by logging into your account and updating your details, or you can also contact us, if you have previously consented by calling us or email, or by signing up to information relevant to the We are the NHS campaign.
Right to complain to the Information Commissioner
You have the right to complain to the Information Commissioner if you are not happy with any aspect of our processing of personal data or believe that we are not meeting our responsibilities under data protection laws. The contact details for the Information Commissioner are:
Information Commissioner’s Office
Wilmslow SK9 5AF
How to access your personal information or make a request in relation to other rights
Requests may be made in writing. If you wish to make a request you can email us at [email protected].
All requests will be recorded, and you may need to provide information to verify your identity and enable us to locate the information, such as:
Changes to the policy
If you have any questions about this privacy statement or the practices of this site, you can contact us on [email protected].