In November 2021 the then Secretary of State for Health and Social Care set out their intention to merge Health Education England with NHS England, and also accepted a recommendation from the Chair of NHS Digital to merge NHS Digital and NHSX with NHS England with an expected legal merger date of 1st April 2023.

To prepare for the merger with NHS England and Health Education England, personal data about our staff will need to be shared with the other organisations involved in the merger.

Purposes for processing

• Organisational design work – to design the future shape and structure of the new NHS England.
• Communications and engagement – your work email addresses will be shared so that you can receive important communications about the merger, including invitations to All Colleague Briefings.
• Consultations – to meet legal requirements for staff consultation
• Equality Impact Analysis – to conduct Equality Impact Analysis, only aggregate anonymous data related to protected characteristics will be used for this purpose. Small numbers will be suppressed so that no individual can be identified from this data.
• Access to ICT systems – your work email address will be used to provide you with guest access to NHS England’s systems such as the Expressions of Interest (EIO) system to apply for vacancies, and the Creating the New NHS England Microsite to access key information and resources relating to the merger.
• Provision of voluntary redundancy schemes – staff NHS employment history, length of service and salary information will be used as a resource for the provision of voluntary redundancy schemes.

Sources of data

All data originates from Health Education England, NHS Digital and NHS England.

Categories of personal data and recipients

The following categories of personal data will be shared from your Electronic Staff Record (ESR):

• your contact information (eg your first name, surname, work email address)
• your employment information (eg your employment number, assignment number, job title, office location, start date, contracted hours, details of previous NHS service)
• your grade and salary information (eg your pay grade, salary, spinal value, pay step date)

In order to carry out equality impact analysis, in accordance with the Equality Act 2010, we will be sharing anonymous and aggregated information about our employees’ protected characteristics. Those characteristics include colleagues’ age, pregnancy and maternity, marriage and civil partnership, disability, race, religion or belief, sex and sexual orientation.  This information will only be shared in an anonymous and aggregated form so none of our colleagues will be identifiable from the information which is shared.  From the anonymous data small numbers, which relate to a small number of individuals, will be suppressed.

Your personal data will be shared with a limited number of individuals in NHS England, Health Education England and NHS Digital who require access to identifiable data to perform their role relating to the merger. Where the task they are performing does not require access to identifiable data, only access to aggregate anonymous data will be provided.

Personal data will be stored within the Foundry platform (Palantir acting as data processor) for the provision of the above purposes.

NHS England has also instructed the following organisations: KPMG, PA Consulting and McKinsey & Company, who will be acting as data processors to NHS England for this purpose, to provide support and assistance to the activities which are required to facilitate the merger. These organisations will only be given access to personal data which they require to complete the tasks assigned to them by NHS England.  They cannot use the data they have been given access to for any other purposes.

Legal basis for processing

Under the UK General Data Protection Regulation (UK GDPR) our legal basis to share data from your ESR record is:

• Contract – Article 6(1)(b) of UK GDPR in relation to your contract of employment
• Legal obligation – Article 6(1)(c) of UK GDPR in relation to the Equality Act 2010, execution of the Public Sector Equality Duty and legal requirements for consultation
• Public task – Article 6(1)(e) of UK GDPR in relation to carrying out the required activities and tasks needed to merge the three organisations to create the new NHS England.

We also need an additional legal basis in the UK GDPR and the Data Protection Act 2018 (DPA 2018) to use data which is particularly sensitive. NHS Digital will need to process sensitive data about employees’ protected characteristics to transform that data into aggregate and anonymous data before it is shared with NHS England and Health Education England for the purposes of equality impact analysis.  Our legal basis to handle this sensitive data to make it anonymous is:

• Employment purposes – Article 9(2)(b) of UK GDPR, plus Schedule 1, Part 1, Paragraph 1 “Employment, social security and social protection” of DPA 2018

• Substantial public interest – Article 9(2)(g) of UK GDPR, plus Schedule 1, Part 2, Paragraph 8 “Equality of opportunity or treatment” of DPA 2018