How we process your information

We are Central and North West London NHS Foundation Trust (CNWL). CNWL is committed to providing excellent integrated patient care in London, Milton Keynes, Surrey and areas beyond. We are a large and diverse organisation, providing healthcare services for people with a wide range of physical and mental health needs.

We employ approximately 9,000 staff to provide more than 300 different health services across 150 sites and other services in community settings. Our services cover:

• Common physical health problems
• Long-term conditions
• Mental health difficulties
• Learning disabilities
• Eating disorders
• Addictions
• Sexual health
• Health and Justice

We want you to have confidence in the way we handle your information

We hadle your personal information in a fair, legal and transparent way. You’ll always be informed about how we use your data and your rights regarding it.

We want to make sure that you have confidence in CNWL and feel comfortable about giving us your information. Safely looking after your information is a key part of our relationship with you.

We have appointed a Data Protection Officer and a dedicated team that looks after data privacy rights and if you have any complaints about the way your data has been handled, you can contact our Data Protection Officer (DPO) by emailing: cnwl.dpo@nhs.net and our Information Governance team on healthrecords.cnwl@nhs.net.

• Basic details about you such as address, date of birth, ethnicity, NHS number and next of kin
• Contacts we have had with you, such as clinical visits
• Notes and reports about your health
• Results of investigations such as laboratory tests and X-rays
• Relevant information including information from people who care for you and know you well, such as health professionals and relatives.

When you use our services, we will record relevant personal and clinical information you provide to us. We may also receive relevant information about you from different people such as a parent, guardian or representative you have appointed.

We will only share your clinical health information with NHS care professionals and other care providers involved in your care, when it is appropriate, fair and lawful to do so. Other clinical providers and partners involved in your care may share with us your information.

We will collect and share personal information that is relevant to your care. We will meet our obligations to you under the UK General Data Protection Regulations and Health and Social Care Act 2012, which include:

• Providing your healthcare
• Working with other agencies and partners involved in your healthcare
• Telling you about CNWL services
• Updating, consolidating and improving the accuracy of our records
• Maintaining and improving our health services, making sure your care is safe and effective
• Responding to your enquiries and complaints
• Managing your relationship with us
• Assisting regulatory authorities with their functions
• Safeguarding
• Crime detection, prevention and prosecution
• Clerical staff, receptionists and secretarial staff will need to use information in your records to carry out administrative tasks, such as booking appointments and communicating with you and other parts of the NHS. (For instance, we may use your mobile phone details to provide a text messaging reminder service to notify you in advance of your appointment).

We use a number of differenct systems that link the various health and care services operating across our three Integrated Care Services (ICSs). These systems are designed to support staff in delivering fast, seamless and effective care, while ensuring that patients can trust that everyone involved in their treatment has access to the information they need. Our ICSs are North Central London, North West London and Bedfordshire, Luton and Milton Keynes. 

NHS staff who provide care should always:

• Discuss and agree with you what they are going to record about you
• Let you know if specialist tools such as clinically assured AI tools are being used to support your assessment and care
• Give you a copy of letters they are writing about you, if you ask
• Show you what they have recorded about you, if you ask
• Ask for your consent to share information with other healthcare professionals (if appropriate).

We will never share information with your friends, colleagues or neighbours without your consent and we will not pass on information to your family if you do not want us to. 

• Information is recorded on paper and computer systems.
• Core healthcare records are kept in computer form within secure and approved database systems. These systems meet strict security standards and cannot be accessed by anyone without permission. We continue to keep paper records for some purposes and they are stored securely. The Trust will on occasion collate, analyse or transfer your clinical or administrative data using approved digital automation processes in order to provide efficient and clinically safe services.
• Everyone working for the NHS has a legal duty to maintain the highest level of confidentiality.

The primary purposes for collecting information is for the provision of healthcare services, and our statutory duty to maintain an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided and of decisions taken in relation to the care and treatment provided.

Medical care

We obtain, record, share and use your information as part of CNWL’s responsibility to provide your medical care. This includes:

• Healthcare provision/Clinical Audits
• Diagnosis
• Treatment
• Social care
• Management of our care record systems
• Maintaining and improving health services.

Our healthcare professionals and employees are under obligation to maintain professional secrecy and are required to maintain confidentiality as part of their employment contract. Everyone working for CNWL is subject to the common law duty of confidentiality.

Protection of life and vital interests

CNWL may use your information to protect you or someone else’s life when this is absolutely necessary.

Legal obligations

Sometimes we are required by law to pass on certain information about you. Legal obligations to share information include:

• Notifying officials of infectious diseases which present significant risk to human health and the wider public under the Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010
• Where a court orders us to share your information
• When it’s required by us or others to detect, investigate or prevent serious crime.
• Assisting third parties with regulatory responsibilities such as the Care Quality Commission and Information Commissioner’s Office.

National Fraud Initiative (NFI)

We are required by law to protect the public funds we administer. We may share information provided with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.  The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office's National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. Please see this guidance.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the UK General Data Protection Regulation (GDPR). For further information on the reasons why it matches particular information, see this guidance.

For further information on data matching at CNWL please contact Kate Harrington Stillwell, Local Counter Fraud Specialist, by emailing kate.harrington-stillwell@rsmuk.com. You can also find further information on how the NFI has assisted the NHS and other public sector organisations.

Research

Research is at the heart of improving health services and developing new treatments. Whenever you use a health or care service, such as attending Acciesent & Emergency or using Community Care services, important information about you is collected in patient record for that service. Collecting this information helps to ensyre you get the best possible care and treatment. 

The information collected about you when you use these services can also be used for purposes beyond your individual care, for instances to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear leagal basis to use this information. All these uses help to provie better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law. 

Most of the time, anonymised data is used for research and planning so that you cannot be identified, in which case your confidential patient information isn't needed. 

Safeguards apply widely to research with personal data. They include obtaining Research Ethics Committee approval, only processing personal data that’s necessary (‘data minimisation’) and ensuring the data cannot be linked to you (‘anonymising’ or ‘pseudonymising’ the information).

Confidential patient information provides numerous benefits. It is used in research to find cures and better treatments for diseases like diabetes and cancer.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care. 

The national data opt-out is a new service that allows people to opt out of their confidential patient information being used for research and planning.

To find out more or to register your choice to opt out, please visit the NHS website.

In addition to routine correspondence relating to treatment and appointments, your contact details (including address, phone number or email address) may also be used to contact you by email, post, SMS or an interactive voice phone call, to obtain feedback on your experience in using Trust services including, but not limited to, the NHS Friends and Family Test (FFT).

You will be able to opt-out of participating in the FFT, or any other survey when you are first contacted. The lawful basis for using your information for this purpose is that it falls within our official authority as a health service provider as we have a contractual obligation to run the FFT.

In addition, we have a statutory duty under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to assess and monitor the quality of the experience of service users. Your responses to the FFT are anonymous and can not be traced back to you. Responses to other surveys will be also be anonymous unless it is made clear to you that this is not the case, when we will only proceed with your specific consent.

When determining how long we keep your information, we consider any legal requirements, the expectations of the data protection regulator and the amount of time we need to hold your personal information to provide safe clinical care.

The Record Management Code of Practice for Health and Social Care 2021 sets out what people working at CNWL need to do to manage records correctly. We follow a retention schedule which makes sure that information we no longer need is destroyed.

Cookies are small text files that are held on your computer. We use cookies to gather information to help us improve the website. We have a dedicated Cookies Policy for inspection.

Store personal data – data will only be held for as long as it's required and for the reason it was collected. After this it will be stored in line with the Records Management Code of Practice for Health and Social Care 2016 and be disposed of securely after this time.

Keep data secure and confidential – the Trust must ensure that your personal data is kept secure at all times. This includes technical security such as firewalls and anti-virus software, along with physical security to protect against theft or loss of data, either on computer systems or paper-based.

Pass on your data – we may need to provide your personal information to another organisation to comply with our legal obligations, to carry out a public task, or for reasons of public interest. We may also need to share your information if this is within your best interests, for example, if you require urgent care or there are safeguarding concerns.  

Reporting data breaches – The GDPR states that organisations must have suitable controls in place to detect personal breaches as well as reporting them to a relevant authority within 72 hours, if they are deemed to be of a significant risk. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the Trust will inform those individuals without undue delay. CNWL has a robust breach detection, investigation and internal reporting procedures in place to ensure your data is kept safe.

You have certain rights over your personal information. These include:

• A right to access a copy of your personal information
• A right to object to the way we use your personal information as described above.

And in certain circumstances:

• A right to ask for your personal information to be corrected and updated
• A right to ask for your personal information to be destroyed
• A right to restrict CNWL in how we can use your personal information

We may have to confirm your identity and for further requests for the same information, a reasonable fee may be charged to cover CNWL administration costs where the request is deemed to be 'manifestly unfounded' or ‘excessive ' under the Access to Health Records Act 1990.

If you request to have your records amended, and we are unable to make the amendment, we will attach a statement of your views to your records.

You have a right to ask CNWL if we have your personal information. If we do, you have a right to know:

• Why we have it
• What type of information we possess
• Whether we have or will send it to others, especially outside the European Economic Area
• How long we will keep it
• Where we got it from
• Details of any automated decision-making.

Right of access

You have a right to access any personal information we hold on you- this is called a Subject Access Request (SAR). Please complete the form along with acceptable proof of identity to healthrecords.cnwl@nhs.net 

Alternatively, the Trust may attempt to remove (or edit out) the other individual’s information before sending your information to you. This is commonly known as ‘redaction’. This could mean you only receive partial information – such as copies of documents showing blanked-out text or missing sections.

This process can take time, but we will normally respond to you within one calendar month from the date of the request. This can be extended by up to a further two months, considering the complexity and number of requests

Right to be informed

You have the right to be informed about the collection and use of your personal data. This is a key transparency requirement under the Data Protection Act 2018.

Rectification

You have the right to require us to rectify information about you that is factually inaccurate, and you may also ask us to remove information which is factually inaccurate or to complete information which is incomplete. To do this, you will need to complete and return this form. 

Right to object

You have the right to object to the processing of your data based on legitimate interests or performance of a task in the public interest. The right to object is not absolute in relation to processing for legitimate interests and research purposes.

Right to be forgotten

You have a right to seek the erasure of your data. You may wish to exercise this right for any reason. This right is not absolute, as we may need to continue processing this information, for example, to comply with our legal obligations, or for reasons of public interest.

Right to withdraw

If we rely on consent as the legal basis for processing your data. However, we often rely on different legal bases for different aspects of processing. This means that we may not be able to act on your request if we have a compelling legal reason not to. Please email the services that collected your consent if you wish to withdraw.

Portability

You have a right to obtain your personal data from us and reuse it for your own purposes, perhaps for another service, without hindering the usability of the data.

Restriction

You might also be entitled to ask us to restrict our use of your information — for example if you think the information we hold about you is incorrect.

We do not use systems to make healthcare decisions solely by automated means without any human involvement.

Should CNWL ever look to use automated decision-making systems we will seek your consent and revise this privacy notice. We will always allow you to contest the decision, give your views and make sure there’s proper human involvement.

Should CNWL ever look to seek your consent to use your information, you have the right to withdraw that consent at any time.

We hope you have found this privacy policy easy to understand. We also have a Patient Information Leaflet.

For service level specific privacy information, please visit the service webpage.

For specific privacy information for Occupational Health, please visit their privacy notice.

You can find more detailed information about your data protection rights on the ICO website.

Staff, volunteers and job applicants should use the Accessing personnel records – guidance for staff form to obtain access to the information the Trust holds on you.

Also, if you are not a patient or Service User you will need to complete the Subject Access Request application to obtain the access. 

If you still have any concerns about the way we have handled your data or are not happy with the Trust’s response to any data protection concern you have raised, you are entitled to contact the Information Commissioner’s Office as below.

The Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone number: 0303 123 1113

This Processing Special Category Data – Appropriate policy explains how Central and North West London NHS Foundation Trust (CNWL) uses and protects the information you provide to us in accordance with the Data Protection Act (DPA) 2018. It outlines the legal basis for which we process special category data.

The General Data Protection Regulation requires the Trust to manage all personal information in accordance with significant principles. In particular, we are required to process your personal information fairly and lawfully. This means that you are entitled to know how we use your information and your information will be held by Central and North West London NHS Foundation Trust (CNWL).

This policy demonstrates that the processing of special category data based on DPA Schedule 1 conditions, is compliant with the requirements of the General Data Protection Regulation (GDPR) Article 5 principles and it complements the Trust’s record of processing activity and accountability framework.