WRaPT Fair Processing Notice

About us

The Workforce Repository and Planning Tool (WRaPT) has been commissioned by Health Education England (North West) and is hosted by Lancashire and South Cumbria NHS Foundation Trust (LCFT), working in partnership with Carados. Our team is comprised of experts in workforce transformation and cross economy healthcare. We are a multidisciplinary group of clinicians, workforce consultants and planners whose sole focus is to help the NHS and care sectors solve workforce issues

Why we collect data

In order to meet the challenge of providing effective and meaningful workforce planning the WRaPT Team collect and process a range of information relating to a wide variety of organisations across the health and social care economy.

What data do we collect and hold

We collect Workforce data relating to staff roles such as contractual hours and salary as well as, where appropriate, Year of birth. Mandated fields within the workforce template are as follows: Organisation hierarchy level 1, Role, Position Title, Salary, WTE, Unique Identifier and Cost Centre. We also collect activity data dependent on the project.

We do not collect names or National Insurance numbers however we do collect a unique identifier, usually an assignment number. We use this to create a pseudonym identifier for each record. Doing this reduces the risk of individuals being identified from the data whilst allowing us to fulfil our responsibilities to data subjects and partner organisations.

We also collect activity data dependent on the project.

Where does the information come from?

All the data we use comes from our partner organisations in the health and social care economy – in most cases your employer. They are responsible for ensuring that the data we have is accurate and limited to only the required fields.

What do we use the information for?

The data is used to create scenario models based on workforce, activity or efficiency changes. It is also used to create workforce baseline analysis, giving planners insight into the current workforce being deployed.

Sharing your information

WRaPT will not share personal or record level information outside of the stipulated data sharing agreement of each project. Data may be aggregated and anonymised for presentation / demonstration purposes.

Records Retention and Disposal

WRaPT adhere to all Lancashire and South Cumbria NHS Foundation Trust’s Information Governance policies and procedures. Consequently, data will be stored for a maximum 12 month period as outlined in the NHS Records Management Code of Practice retention schedule. Following the retention period the record will be confidentially destroyed.

Protecting your data

We take our duty to protect personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible.

An information sharing agreement is always in place upon commencing a project to ensure data is kept confidential and secure

We are by a legal duty of confidentiality under the General Data Protection Regulations (GDPR). The principles as set out below are fully endorsed by the WRaPT Team.

GDPR and your rights

The GDPR provides the following rights for individuals:

  • The right to be informed: Data subjects have the right to be informed about the collection and use of their information including the reasons for processing the data, how long the information will be held for and who it will be shared with.
  • The right of access: Data subjects have the right to access their personal data. See how can you access your information above for details.
  • The right to rectification: Data subjects have the right to request that inaccurate personal information be corrected, or completed if it is incomplete. All requests to amend the information contained in your will be considered.
  • The right to erasure: Also known as ‘the right to be forgotten’, this right only applies in certain circumstances. This right does apply in cases where data is used for non-direct healthcare purposes including research and planning.
  • The right to restrict processing: Data subjects have the right to request WRaPT restrict the processing of their data where they have contested the accuracy of their data or feel that their data has been unlawfully processed. This restriction will only be temporary whilst a decision about rectification or lawful processing is being made.
  • The right to data portability: The right to data portability allows individuals to obtain and reuse their personal data from certain organisations for their own purposes across different services. This right only applies where consent has been used for the processing of your information or where there are automated decision making processes in place. Therefore this does not apply with workforce data held by WRaPT.
  • The right to object: Individuals have the right to object to the processing of their data in a number of different circumstances, in particular profiling, direct marketing and processing for purposes of scientific/ historical research and statistics. WRaPT can demonstrate legitimate grounds for processing and do not share data for marketing purposes
  • Rights in relation to automated decision making and profiling: The GDPR has rules in place to protect individuals where organisations are carrying out automated decision making. This is where a decision is made solely by automated means with no human involvement. This also includes profiling. Profiling evaluates certain things about an individual. WRaPT / Lancashire and South Cumbria NHS Foundation Trust does not use processes which include solely automated decision making or profiling.
Who helps protect your information

WRaPT operate and adhere to all Lancashire and South Cumbria NHS Foundation Trust’s Information Governance policies and procedures. LSCFT employs specific roles to provide leadership and direction to ensure accountability and transparency to support compliance with Data Protection law and GDPR.

These roles include:

Caldicott Guardian

The Trust is required to have a Caldicott Guardian. The Caldicott Guardian is a senior health professional appointed to ensure that the information of service users is handled in a confidential manner by the Trust and enabling appropriate information sharing. The Caldicott principles are incorporated into the NHS Code of Practice.

Senior Information Risk Owner (SIRO)

The SIRO is an Executive Director in the Trust with overall responsibility for managing organisational information risk and putting strategies in place to control the identified risks.

Data Protection Officer (DPO)

Under the General Data Protection Regulations (GDPR) all large public authority organisations such as Lancashire and South Cumbria NHS Foundation Trust are legally required to employ a Data Protection Officer. This person is responsible for providing advice and guidance to staff and the Trust Board on aspects of the Data Protection law and related regulation and codes of practice.

The Trust Data Protection Officer is Michelle Brammah.

Access to your personal information

You are entitled to obtain a copy of the personal information held about you by the WRaPT Team under the provisions of the General Data Protection Regulations (GDPR) and Data Protection Act 2018. This is known as a Subject Access Request (SAR). SARs are managed in accordance with the Trust Access to Records Policy. You are only entitled to your own personal data, and not to information relating to other people (unless the information is also about you or you are acting on behalf of someone). We will also check that the information we send you does not contain information you are not entitled to see.

To make a request for personal information, email or write to:

WRaPT Team
Lancashire and South Cumbria NHS Foundation Trust
c/o Sceptre Point
Sceptre Way
Bamber Bridge


Data subjects have the right to lodge a complaint with Lancashire and South Cumbria NHS Foundation Trust’s Data Protection Officer or Hearing Feedback team if they feel that their information is not being processed, stored or shared in accordance with the General Data Protection Regulations (GDPR).

They can be contacted via the Trust headquarters or the following email addresses:

If you are not satisfied with the Trust response you can lodge a complaint with the Information Commissioners Office (ICO). Contact details can be found at