General Data Protection Regulation – Privacy Notice

How your personal information is used by Central and North West London NHS Foundation Trust.

Please read this privacy notice to understand how we use and protect the information that patients, like you, provide to us.

We value your privacy and want to be clear about the data we collect, how we use it and your rights to control that information, which is why we've updated this privacy notice.

CNWL Data Privacy Notice for Patients

Your information will be held by Central and North West London NHS Foundation Trust (CNWL).

The General Data Protection Regulation requires us to manage all personal information in accordance with the some important principles. In particular, we are required to process your personal information fairly and lawfully. This means that you are entitled to know how we use your information.

Notice applicable as of 25 May 2018.

What's covered in this Data Privacy Notice?

Who we are

We are Central and North West London NHS Foundation Trust (CNWL).

CNWL are committed to providing excellent integrated patient care.  We are a large and diverse organisation, providing healthcare services for people with a wide range of physical and mental health needs.

We employ approximately 7,000 staff to provide more than 300 different health services across 150 sites and other services in community settings.  Our services cover:

  • Common physical health problems
  • Long-term conditions
  • Mental health difficulties
  • Learning disabilities
  • Eating disorders
  • Addictions
  • Sexual health.

We want you to have confidence in the way we handle your information when you use our services.

We will manage your personal information fairly, lawfully and transparently. This means you’ll know how we use your information and we’ll tell you about your rights too.

We want to make sure that you have confidence in CNWL and feel comfortable about giving us your information. Safely looking after your information is a key part of our relationship with you.

We have appointed a Data Protection Officer (known as a ‘DPO’) and a dedicated team that looks after data privacy rights.

You can write to us:

Data Protection Officer
Central and North West London NHS Foundation Trust
Stephenson House
75 Hampstead Road

You can also contact our the team by emailing:

Providing our services

When you use our services, we may receive information about you from different people such as a parent, guardian or representative you have appointed. Other clinical providers and partners involved in your care may share with us your information and vice versa, we will share your information with other medical professionals, across the NHS and with other agencies, involved in your healthcare when deemed appropriate.

We will only collect and share personal information that is relevant to your care. We will meet our obligations to you under the General Data Protection Regulations and Health and Social Care Act 2012, which include:

  • Providing your healthcare
  • Working with other agencies and partners involved in your healthcare
  • Telling you about CNWL services
  • Updating, consolidating and improving the accuracy of our records
  • Maintaing and improving our health services
  • Responding to your enquiries and complaints
  • Managing your relationship with us
  • Assisting regulatory authorities with their functions
  • Safeguarding
  • Crime detection, prevention and prosecution.

Why we use your personal information

Medical care

We obtain, record, share and use your information as part of CNWL’s responsibility to provide your medical care. This includes:

  • Healthcare provision
  • Diagnosis
  • Treatment
  • Social care
  • Management of our care record systems
  • Maintaining and improving health services.

Our healthcare professionals and employees are under obligation maintain professional secrecy and are required to maintain confidentiality as part of their employment contract. Everyone working for CNWL is subject to the common law duty of confidentiality.

Protection of life and vital interests

CNWL may use your information to protect you or someone else’s life when this is absolutely necessary.

Legal obligations

 Sometimes we are required by law to pass on certain information about you. Legal obligations to share information include:

  • Notifying officials of infectious diseases which present significant risk to human health and the wider public under the Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010
  • Where a court orders us to share your information
  • When it’s required by us or others to detect, investigate or prevent serious crime.
  • Assisting third parties with regulatory responsibilities such as the Care Quality Commission and Information Commissioner’s Office.

How long will we keep your information?

When determining how long we keep your information, we take into account any legal requirements, the expectations of the data protection regulator and the amount of time we need to hold your personal information to provide safe clinical care. 

The Records Management Code of Practice for Health and Social Care 2016 sets out what people working at CNWL need to do to manage records correctly. We follow a retention schedule which makes sure that information we no longer need is destroyed.


Cookies are small text files that are held on your computer. We use cookies to gather information to help us improve the website. We have a dedicated Cookies Policy for inspection.

Your rights

You have certain rights over your personal information. This includes:

  • A right to access a copy of your personal information
  • A right to object to the way we use your personal information as described above.

And in certain circumstances:

  • A right to ask for your personal information to be corrected and updated
  • A right to ask for your personal information to be destroyed
  • A right to restrict CNWL in how we can use your personal information

We may have to confirm your identity and in some circumstances need payment from you.


You have a right to ask CNWL if we have your personal information. If we do, you have a right to know:

  • Why we have it
  • What type of information we possess
  • Whether we have or will send it to others, especially outside the European Economic Area
  • How long we will keep it
  • Where we got it from
  • Details of any automated decision-making.

If you want, you can ask for a copy of your information. It may help you to use this form.


Where any of your information is incorrect, you have a right to tell us to correct it promptly. 

In certain circumstances, you may have other extra rights:

Right to object

Depending on the legal basis for which we are using your information, you may be entitled to object. We will always balance your rights with those of CNWL’s responsibilities and obligations.

Erasure (right to be forgotten)

You may have a right to have some or all of the information we hold about you deleted. However you should be aware that, as a healthcare provider, we are required to retain many records even after your treatment has finished at this Trust.


In certain circumstances you would be entitled to receive some of your information from us electronically. We can either pass the information to you, or to another person or business if you want.


You might also be entitled to ask us to restrict our use of your information — for example if you think the information we hold about you is incorrect.

Automated decision making

We do not use systems to make healthcare decisions solely by automated means without any human involvement.

Should CNWL ever look to use automated decision-making systems we will seek your consent and revise this privacy notice. We will always allow you to contest the decision, give your views and make sure there’s proper human involvement.


Should CNWL ever look to seek your consent to use your information, you have the right to withdraw that consent at any time.

Making this policy great

The General Data Protection Regulation is important. It strengthens data protection rules and enhances your information rights but rules are still grounded in common sense. CNWL will make changes to this privacy policy as part of our commitment to protecting your privacy and affording you even more transparency.

We hope you have found this privacy policy easy to understand. We also have a patient information leaflet (opens PDF) available from our staff or by contacting our Information Governance team.

Sharing your information

  • Camden Integrated Digital Record (CIDR) Information for people that live in the London Borough of Camden and or have a GP in Camden.
    More information on the Camden CCG website
  • North West London Whole Systems Integrated Care programme Information for people in the London Boroughs of Brent, Harrow and Hillingdon, Royal Borough of Kensington & Chelsea and the City of Westminster or access health services in these boroughs
    More information on the programme website

Related information