GDPR and privacy notice


The NHS Confederation is a charity and membership organisation. We operate a trading subsidiary, The NHS Confederation (Services) Company Limited, together they form the NHS Confederation group. 

This statement sets out how we handle your personal data, the lawful basis by which we process your data and the details of our data protection officer.

What personal data do we collect?

We collect the personal data you provide to us when signing up for newsletters or updates, to receive information from us or to otherwise provide your data to us, along with any further personal data you provide from time to time. This personal data includes your name, email address, job title, organisation address, land and mobile phone numbers and other contact details.

We may also combine this personal data with other personal data we hold about you across the NHS Confederation group for example attendance at our events and the different channels you use to interact with us.

How we use your personal data

We process your personal data to be able to interact with you, provide you with.

We also use your personal data:

  • to send you our newsletters, updates, information, activities and services
  • send you information about our events and products to ensure that the information we hold is kept accurate and up to date
  • to notify you about changes to our services.

How long we keep your personal data

We will keep your personal data for as long as reasonable for the purpose it was provided. We will periodically review our interactions with you and may delete your data if we have not interacted for some time.

Who we share your personal data with

We will not share your data with any third parties unless you have consented for us to do so for example if you register for an event.  Where this is the case we will share the relevant privacy notice with you and secure your consent to do so. We may share your personal data within our group of companies as detailed above.

We may however disclose or share your personal data if we are so required to do in order to comply with our legal obligations or for the purposes of fraud prevention.

Currently we use both Jotform and SurveyMonkey to capture data for surveys and events. We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our data protection officer if you would like more information about the safeguards we have in place.

The lawful basis for processing your data

We rely on your consent to process your data. We may also share your data within our group of companies where it is in our legitimate interest to do so.

What happens if you do not provide us with the personal data we request or ask us to stop processing your personal data?

You may withdraw your consent to our processing your data at any time. You are able to opt out of our newsletters and updates at any time by selecting unsubscribe at the bottom of the email.  You may ask us to stop processing your data completely, to do this please contact our data protection officer.

How we contact you

We will communicate with you via email, telephone, post and on occasion SMS. You may also update your contact details at any time by contacting us.

Processing data outside of the European Economic Area

In some cases we may process your personal data outside the European Economic Area (EEA) where countries may not have laws which protect your personal data to the same extent as in EEA. We are obliged to ensure that your personal data is processed securely and is protected against unauthorised access, loss or destruction, unlawful processing and any processing which is inconsistent with the purposes set out in this privacy notice.

Currently we use Mailchimp, part of The Rocket Science Group, to send some of our emails.  We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our data protection officer if you would like more information about the safeguards we have in place.

Your rights

By law you have a number of rights when it comes to your personal data.


What does this mean?

The right to be informed


You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights.

The right of access

You have the right to obtain access to your personal data that we are processing and certain other information.

The right to rectification

You are entitled to have your personal data corrected if it is inaccurate or incomplete.Please inform us of any data which you would like rectified and we will usually respond within a month of the request. We will pass on the changes to any third parties who need to change their records and let you know this has been done.

The right to erasure

This is also known as ‘the right to be forgotten’ and enables you to request the deletion or removal of your personal data where there’s no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions but where possible we will comply with your request.

The right to restrict processing

You have rights to ‘block’ or suppress further use of your personal data. When processing is restricted, we can still store your personal data, but may not use it further. We keep lists of people who have asked for further use of their personal data to be ‘blocked’ to make sure the restriction is respected in future.

The right to data portability

You have rights to obtain and reuse your personal data for your own purposes across different services. We will do our best to provide the information in an easy to read format.

The right to object to processing

You have the right to object toask us to stop processing your data however this may prevent us from fulfilling our contract with you.

The right to lodge a complaint

You have the right to lodge a complaint about the way we handle or process your personal data with a supervisory authority. The supervisory authority for the UK is the Information Commissioner.

The right to withdraw consent

If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful).

Changes to our privacy notice

Any changes we may make to our privacy notice in the future will be posted on our websites and, where appropriate we will notify you by email. Please check back frequently to see any updates.

Subject access requests

We are legally required to act on requests and provide information free of charge with the exception of requests that are manifestly unfounded, excessive or repetitive.  If we determine this to be the case we may charge a reasonable fee or refuse to act on the request.  We will respond to acknowledge your request and provide the information within one month of receiving your request.  Please send your request to our data protection officer at the email address below with subject access request in the subject line.

Contact details

If you have any queries, questions or concerns about your data, how we are handling it, wish to ask us not to process your data or wish to ask us to erase your data please contact

Latest Tweets

Latest Blog Post

Tapping into the lived experience of BME staff

15 / 5 / 2019 7.30am

Dr Habib Naqvi reflects on the links between the Workorce Race Equality Standard, workforce representation, staff engagement and patient satisfaction.

Why Register?

Great reasons to register with NHS Employers

  • A personalised website
    Manage your profile and select topics of interest to you
  • Access your dashboard
    Bookmark useful content to help you quickly find what you're looking for
  • Get involved
    Contribute to our Talking Points discussions, comment on and rate our webpages
  • Keep up to date
    Receive the latest newsletters and media summaries

Log In