Privacy Policy

Patchwork has to handle personal data about temporary workers and the staff of their employers.

This page explains what personal data we handle and why we do so.

Colloquially, “locum” means a clinician working temporary shifts for an employer such as an NHS hospital. On this page, we say “locum” in the general sense to mean anyone who substitutes temporarily for another member of the same profession.

(For the legal eyed reading this, words in bold say the legal basis of the GDPR under which we are legally the controller of all data which you supply directly to Patchwork. Where your employer supplies Patchwork data, we are the processor.)

Here’s the personal data we handle starting when…

1. Locum applies to work for an employer/multiple employers (note Patchwork is not the employer)

When a locum applies to work at an employer/s we handle this personal data about them:

  • Email, password, cookies – to identify themselves to Patchwork
  • Name, data of birth – to match against existing Electronic Staff Records
  • Passport – required for photo identification, as medicine is a regulated industry
  • Right to work documents – if Passport doesn’t give right to work
  • Disclosure and Barring Service (DBS) – required by law and Government policy
  • GMC number – for identification with official register of medical practitioners
  • Proof of qualifications – ultimately, so can book only shifts they’re qualified for

Where a locum applies to work at for one employer, data will only be shared with that employer.

Where a locum applies to work for a number of employers who are working together as part of a collaborative approach or consortium, data will be shared with all employers to allow them to consider the application.

We do this to fulfil the contract between the locum and the employer (employment application).

Note that we give this information (except password and cookies!) to the employer’s HR team that the locum is applying to work at. We keep a history of rejected applications so the employer has a record for disputes and fraudulent applications.

We also store the same personal data so that the locum can more easily apply to other employers. This is by consent of the locums, and they can request deletion of the data at any time.

1.1 Lawful basis for processing

We process the data on Shifts booked, cancelled and signed-off to give Employers the information they need to make decisions on Shift Approvals, auto booking preferences and more.

2. Locum books a shift

After a locum is activated as working at an employer, we handle this personal data about them:

  • Name, password, cookies – to identify themselves to Patchwork
  • Mobile notification keys – for in-app push notifications about shifts
  • Grade and specialities – so they can only book shifts they’re qualified for
  • Shifts they have booked to work on
  • Departments they are assigned to
  • Whether they are a preferred locum – so don’t need approval when booking shifts

We do this to fulfil the employment contract between the locum and the employer. Of course the employer HR team has access to this information in their shift booking system (except password and cookies!).

So the employer can handle employment disputes, and for patient safety, we permanently store this personal data about the locum:

  • History of shifts they used to work on
  • Cancelled shifts and the reason they are cancelled
  • Changes to timing or escalation of shifts

Again, this is to fulfil the locum’s employment contract, particularly in the case of errors or disputes.

4. Agency locum books a shift

If a shift is filled not by Patchwork but by an agency we store this information about the agency locum:

  • Name of agency locum
  • Grade, department
  • Time and other details about shift

This is to fulfil the agency locum’s employment contract with their agency, which requires booking shifts on the employer’s booking system.

5. Locum gets paid

So a locum can get paid, we handle this personal data about them:

  • ESR / payroll number – for integration by the employer with their payroll system
  • Rate of pay for a shift
  • History of shifts and their rates of pay

This is necessary to fulfil the employment contracts between the locums and their employer. It is necessary that we keep the history, in case there are errors or disputes. The employer has access to this information.

6. Employer’s staff do their jobs

We handle some personal data about employer staff who use the Patchwork employer portal to do their work:

  • Name, password, cookies – to identify themselves to Patchwork
  • Audit history of their activity on the Patchwork employer portal

This is so the employer can perform their public task (if public sector) or legitimate interests (otherwise) of managing their HR team, including knowing who made decisions about the HR team.

7. All users

To help maintain our service we store:

  • Standard server logs

We do this in our legitimate interests to run a reliable service and provide customer support.

We generate aggregated statistical information about shifts, bookings and locums. For example, measuring the fill rate of an HR team. These statistics are no longer personal data. We use them for research, marketing and financial planning.

8. Making requests about your data

8.1 Rights of the Individual

If we hold any of your personal data, you can request to access it. In some cases, depending on the reason given above that we hold the data, you can request we correct, erase or restrict our processing of it.

9. Third Parties

9.1 Security, Privacy and Compliance Information for Patchwork

Patchwork is a data processor and engages certain onward subprocessors that may process personal data submitted to Patchwork’s services by the controller. These subprocessors are listed below, with a description of the service and the location where data is hosted. This list may be updated by Patchwork from time to time:

  • - Intercom. Customer Relationship Management. (USA)
  • - Amazon Web Services, Inc. Hosting, storage and analytics. (UK)
  • - Mailchimp. Email. (USA)
  • - Google Inc. Analytics. (UK)
  • - Hotjar. Analytics. (EU)

If you’d like to to do this, please contact us by emailing

We’d also love to hear from you if you have any other questions.

If you have any concerns about any organisation’s processing of personal data, you can report your concern to the Information Commissioner’s Office.

9. Data Protection Officer

Jing Ouyang (Chief Operating Officer )