Privacy notice

All personal data held within the Digital Staff Passport is processed by NHS England on behalf of individual employees of the NHS, as service users. NHS England are controllers for the information held on the Digital Staff Passport app itself.

Your ‘new’ or future employer becomes the controller of any copies of records received from the Digital Staff Passport. Any copies of records held by Identification Verification services are separate to this privacy notice, and Identification Verification service providers are separate data controllers.

To enact your data subject’s rights over the personal data processed on the Digital Staff Passport please contact the NHS England Data Protection Officer at [email protected]

You can contact the Information Commissioners Office (ICO) to make a complaint about the processing of your personal data.

The personal information the Digital Staff Passport collects is provided directly from you for one of the following reasons: 

• you have applied for a job with us or work for us
• you have chosen to use the NHS Digital Staff Passport

We may also receive personal information about you indirectly from others, in the following scenarios:

• from other health and care organisations you are employed with, through the Electronic Staff Record (ESR), to speed up pre-employment checks when you move between NHS organisations

• from information you have previously provided to your employer that is stored in other workforce IT systems, for example applicant tracking, learning management and occupational health systems

Personal information

We currently need the following personal information to provide your Digital Staff Passport:

• basic personal details about you – your name, address, date of birth, email address and an ID photo of you
• basic details relating to your work status – Disclosure and Barring Service (DBS) information, right to work information (residency/visa), your professional registration details (such as the General Medical Council, Nursing and Midwifery Council, General Dental Council or Health and Care Professions Council), your ESR assignment number
• clinical training and qualification details, any other specific clinical skills, and any restrictions on your practice
• basic details relating to your current employment – employing organisation, job role, staff group, department, start date, pay band, work email address, area of work, job title
• details of any supporting evidence or document, for example passport number, driving licence number

You can also choose to provide the following additional optional information:

• maiden name
• previous name
• preferred pronouns
• phone number
• work email
• ethnic category
• country of birth
• religious beliefs
• sexual orientation
• next of kin details
• 2 emergency contact details
• marital status

More sensitive information

We need the following more sensitive data to provide your Digital Staff Passport:

• limited healthcare information specifically relating to your employment – specifically, occupational health clearance confirmation

We process the following more sensitive data where you have chosen to provide it:

• data revealing racial or ethnic origin
• data concerning a person’s sexual orientation
• data revealing religious or philosophical beliefs
• immunisation, vaccine and testing data

Information will be shared with NHS England, who will host the data.

NHS England may also contact you to participate in user research and complete satisfaction surveys. Participation is always voluntary, and any feedback provided will be used to enhance the app and the experience of other users.

Your information will also be shared with organisations providing identity services or digital wallet services, such as, Yoti, Digidentity and Microsoft, who will verify your identity to ensure that it is in fact you who is requesting access to your Digital Staff Passport.

NHS staff data, including names and contact details may be transferred within the EEA to territories with relevant adequacy regulations under section 17A of the 2018 Data Protection Act.

Personal information

Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information is:

• Article 6, 1(e): We need it to perform a public task. This legal basis applies to the information that is not subject to a legal obligation but is provided by you to support us as your employing organisation in the performance of our public task.

More sensitive data

Under UK GDPR, the lawful basis we rely on for using information that is more sensitive (special category) is:

• Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

Your data will be stored by NHS England in the Microsoft Azure cloud. When you download your passport to your mobile device, your passport details will be held within the Microsoft Authenticator digital wallet or Digital Staff Passport app. Both storage locations have robust security measures in place to ensure your data is safe and secure.

Your data will be held for as long as your Digital Staff Passport is active. If you temporarily disable your passport, your data will be retained so that the process for reactivating your Digital Staff Passport is convenient for you. However, if you permanently delete your Digital Staff Passport account, your data will be deleted.