Corporate publication

Data Protection Policy

Placing data protection at the heart of the NHS Confederation’s operations to protect the rights of individuals and the charity from data breaches.

31 March 2022

Read the policy (PDF) External link icon

Purpose of this policy

As a Data Controller the NHS Confederation takes its responsibilities regarding the management of the requirements of data protection legislation, very seriously. ‘Data protection legislation’ includes the Data Protection Act 2018 and the UK General Data Protection Regulations (GDPR), as modified, or replaced from time to time, and any other related legislation (such as the Privacy & Electronic Communications (EC Directive) Regulation 2003).

This policy sets out how the NHS Confederation manages those responsibilities and aims to place data protection at the heart of the NHS Confederation’s operations to protect and promote the rights of individuals and protect the charity from the risk of data breaches.


This policy applies to everyone working at or with the NHS Confederation.

It applies to:

  • all staff, including chief executives, directors, senior managers, employees (whether permanent, fixed term or temporary), seconded staff, homeworkers, agency workers and volunteers
  • consultants and contractors
  • trustees and committee members.

Any employing or contracting manager must ensure that all temporary staff, consultants, or contractors are aware of this policy.

By the NHS Confederation we mean the NHS Confederation charity, any subsidiary companies, and any hosted networked organisation.

This policy applies to all personal data the NHS Confederation collects, stores and processes, regardless of the location of where the data is stored (e.g. on an employee’s own device) and regardless of the data subject. The main personal information held is in relation to representatives at member organisations, employees, board and committee members, volunteers, employment applicants and other stakeholders. Personal data refers to any identifiable data relating to an individual. It doesn’t need to be data that is considered private and can relate to an individual’s ‘work details’. 

The NHS Confederation has designated the Director of People and Governance as the individual who is responsible for ensuring that the NHS Confederation implements this policy. This policy should be read in conjunction with the organisation’s IT Security Policy, Privacy Statement and Procedures for Data Breaches and Subject Access Requests.

The Policy should also be read in conjunction with the Information Commissioner’s Office guidance on data protection legislation.

View the policy library.

Find out more Arrow pointing right