Privacy Notice

This privacy notice is intended to provide transparency regarding what personal data Health Education England (HEE) will collect about you, how it will be processed and stored, how long it will be retained and who will have access to your data.

Trainees should be aware that this privacy notice applies to all the processing of your personal data by HEE during the course of your training. Your personal data is collected typically (but not exclusively) via the recruitment process, your Annual Review of Competence Progression (ARCP) and when submitting Form R (or the alternative in NES).

Terms used in this notice

There are some terms that appear in the Data Protection Act 1998 that are used in this notice. These are explained below.

Personal data: Information from which the data subject can be identified either directly or indirectly when the information is read in conjunction with other data that the data controller holds.
Processing: In relation to personal data, processing means obtaining, recording, sharing or holding the data or carrying out any other operation or action.
Data subject: The individual whom the personal data is about.
Data controller: HEE, NES, the Wales Deanery or NIMDTA is the data controller, meaning that they determine the purposes for which and the manner in which any personal data is to be processed.
Data processor: A data processor processes personal data on behalf of the data controller under a contract and follows strict instructions from the data controller.
Third parties: Any person/organisation that is not the data subject, data controller or data processor.
Data recipients: Any person to whom the data is disclosed who processes that data on behalf of the data controller (e.g. HEE, NES, Wales Deanery or NIMDTA staff and lay representatives).
Sensitive personal data: Personal information about the data subject’s racial or ethnic origin, political opinions, religious beliefs, physical or mental health condition, sexuality and criminal record or activity.


In order to manage and quality assure your training, HEE need to process information about you. They do so in compliance with the Data Protection Act 1998 and in accordance with the data protection principles set out in Schedule 1 of the Act. These principles require that personal data must:

  • be fairly and lawfully processed
  • be processed for a specific purpose
  • when collected, be adequate, relevant and not excessive
  • be accurate and up to date
  • not be kept for longer than necessary
  • be processed in accordance with an individual’s rights
  • be kept secure and safeguarded from unauthorised access or accidental loss
  • only be transferred outside the European Economic Area when an adequate level of protection exists in the recipient country

Processing your personal data

HEE will process your personal data for the following purposes, and this will usually entail the processing of your personal data on our management information systems:

  • To manage your training and programme – Personal data collected for this purpose will be kept in your training file, which will usually contain your recruitment data (application form, recruitment documentation and any immigration records), ARCP records, significant correspondence, and any other information pertinent to the effective management of your training and education.
  • To quality assure training programmes and ensure that standards are maintained – via local and national quality assurance teams, and methods such as the General Medical Council (GMC) national training survey
  • To identify workforce planning targets – Your data will be used to determine outputs from programmes and to inform the number of trainees required for specialties in the future.
  • To maintain patient safety through the management of performance concerns – Your personal data may be shared with the GMC should there be significant concerns regarding your fitness to practise.
  • To comply with legal and regulatory responsibilities including revalidation
  • To contact you about training opportunities, events, surveys and information that may be of interest to you

Access to your personal data is restricted to the authorised team within HEE that manages your training. Access is also granted on a limited basis to recipients such as Training Programme Directors and lay representatives but only where necessary for a specified and legitimate purpose.

Your personal data will be retained for six years after you have left your training programme, at which point your personal data will be confidentially and securely destroyed.

Processing your sensitive personal data

Your sensitive personal data will only be processed if HEE has received explicit consent from you, if alternative conditions of Schedule 2 and Schedule 3 of the Data Protection Act 1998 are satisfied or if an exemption specified in the Data Protection Act applies.

Sensitive personal data that we may need to share includes information relating to your health or criminal record should your employer or the GMC need to be made aware.

Sharing personal data

 image Privacy Notice taken from Gold Guide

HEE will only transfer your personal data to third parties using secure channels and where it is needed to manage your training, for example when rotating through placements or notifying Medical Royal Colleges/Faculties of ARCP outcomes.

HEE will not transfer your data unless it is satisfied of the following matters:

  • That a condition of Schedule 2 (and a condition from Schedule 3 in relation to sensitive personal data) of the Data Protection Act 1998 is met. The most common conditions we will rely on from Schedule 2 are consent from you or that we (or the recipient organisation) have a legitimate interest in the disclosure.
  • The data will be handled by the third party in accordance with the Data Protection Act.

Where the data is used for analysis and publication by a recipient or third party, any publication will be on an anonymous and aggregated basis, and will not make it possible to identify any individual. This will mean that the data ceases to become personal data.

Third parties may include the following non-exhaustive list: the UK health departments, Colleges/Faculties, other deaneries, the GMC, NHS Trusts/Health Boards and approved academic researchers.

Your responsibilities and rights

It is important that you work with us to ensure that the information we hold about you is accurate and up to date so please inform HEE immediately if any of your personal data needs to be updated or corrected.

All communications from HEE will normally be by email. It is therefore essential for you to maintain an effective and secure email address or you may not receive information about your posts and assessments or other important news and information about your training.

If at any point you wish to gain a copy of your personal data that is held by HEE you may submit a subject access request in writing. Please note that a fee may apply. Please contact Health Education England.

In certain limited circumstances, you have a right to object to processing that is likely to cause you damage or distress, or to any decisions made by automated means that significantly affect you.

You also have a right to have inaccurate personal data rectified, blocked, erased or destroyed.

If you wish to exercise any of these rights or have any concerns in relation to how your personal data is processed, please contact HEE using the details above.

Should you wish to learn further information about data protection, please visit the Information Commissioner's Office (ICO) website. The ICO deals with complaints about information matters and provides useful guidance.


1 | Version GG 6 January 2016 (Gold Guide)