How your personal information is used by Central and North West London NHS Foundation Trust.

This Privacy Notice explain how we use and protect the information you provide to us. It outlines the type of data we collect and how we use them.

The General Data Protection Regulation requires us to manage all personal information in accordance with significant principles. In particular, we are required to process your personal information fairly and lawfully. This means that you are entitled to know how we use your information and your information will be held by Central and North West London NHS Foundation Trust (CNWL).

We are Central and North West London NHS Foundation Trust (CNWL). CNWL are committed to providing excellent integrated patient care.  We are a large and diverse organisation, providing healthcare services for people with a wide range of physical and mental health needs.

We employ approximately 7,000 staff to provide more than 300 different health services across 150 sites and other services in community settings.  Our services cover:

  • Common physical health problems
  • Long-term conditions
  • Mental health difficulties
  • Learning disabilities
  • Eating disorders
  • Addictions
  • Sexual health.

We want you to have confidence in the way we handle your information

we will manage your personal information fairly, lawfully and transparently. You’ll know how we use your information and we’ll tell you about your rights too.

We want to make sure that you have confidence in CNWL and feel comfortable about giving us your information. Safely looking after your information is a key part of our relationship with you.

We have appointed a Data Protection Officer and a dedicated team that looks after data privacy rights and if you have any complaint about the way your data has been handled you can contact our Data Protection Officer (DPO) by emailing: and our Information Governance team on

  • Basic details about you such as address, date of birth, ethnicity, NHS number and next of kin
  • Contact we have had with you such as clinical visits
  • Notes and reports about your health
  • Results of investigations such as laboratory tests and X-rays
  • Relevant information including information from people who care for you and know you well, such as health professionals and relatives.

When you use our services, we will record relevant personal and clinical information you provide to us. We may also receive relevant information about you from different people such as a parent, guardian or representative you have appointed.

We will only share your clinical health information with NHS care professionals and other care providers involved in your care when it is appropriate, fair and lawful to do so. Other clinical providers and partners involved in your care may share with us your information.

We will collect and share personal information that is relevant to your care. We will meet our obligations to you under the General Data Protection Regulations and Health and Social Care Act 2012, which include:

  • Providing your healthcare
  • Working with other agencies and partners involved in your healthcare
  • Telling you about CNWL services
  • Updating, consolidating and improving the accuracy of our records
  • Maintaining and improving our health services, making sure your care is safe and effective
  • Responding to your enquiries and complaints
  • Managing your relationship with us
  • Assisting regulatory authorities with their functions
  • Safeguarding
  • Crime detection, prevention and prosecution.
  • Clerical staff, receptionists and secretarial staff will need to use information in your records to carry out administrative tasks, such as booking appointments and communicating with you and other parts of the NHS. (For instance, we may use your mobile phone details to provide a text messaging reminder service to notify you in advance of your appointment).

We will never share information with your friends, colleagues or neighbours without your consent and we will not pass on information to your family if you do not want us to.

NHS staff who provide care should always:

  • Discuss and agree with you what they are going to record about you
  • Give you a copy of letters they are writing about you, if you ask
  • Show you what they have recorded about you, if you ask
  • Ask for your consent to share information with other healthcare professionals

  • Information is recorded on paper and computer systems.
  • Core healthcare records are kept in computer form within secure and approved database systems. These systems meet strict security standards and cannot be accessed by anyone without permission. We continue to keep paper records for some purposes and they are stored securely. The Trust will on occasion collate, analyse or transfer your clinical or administrative data using approved digital automation processes in order to provide efficient and clinically safe services.
  • Everyone working for the NHS has a legal duty to maintain the highest level of confidentiality.

The primary purposes for collecting information is for the provision of healthcare services, and our statutory duty to maintain an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided and of decisions taken in relation to the care and treatment provided.

Medical care

We obtain, record, share and use your information as part of CNWL’s responsibility to provide your medical care. This includes:

  • Healthcare provision/Clinical Audits
  • Diagnosis
  • Treatment
  • Social care
  • Management of our care record systems
  • Maintaining and improving health services.

Our healthcare professionals and employees are under obligation maintain professional secrecy and are required to maintain confidentiality as part of their employment contract. Everyone working for CNWL is subject to the common law duty of confidentiality.

Protection of life and vital interests

CNWL may use your information to protect you or someone else’s life when this is absolutely necessary.

Legal obligations

Sometimes we are required by law to pass on certain information about you. Legal obligations to share information include:

  • Notifying officials of infectious diseases which present significant risk to human health and the wider public under the Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010
  • Where a court orders us to share your information
  • When it’s required by us or others to detect, investigate or prevent serious crime.
  • Assisting third parties with regulatory responsibilities such as the Care Quality Commission and Information Commissioner’s Office.

National Fraud Initiative (NFI)

We are required by law to protect the public funds we administer. We may share information provided with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.  The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office's National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. Please see this guidance.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the General Data Protection Regulation (GDPR).  For further information on the reasons why it matches particular information, see this guidance.

For further information on data matching at the Central and West London NHS Foundation Trust please contact Kate Harrington Stillwell, Local Counter Fraud Specialist, by emailing You can also find further information on how the NFI has assisted the NHS and other public sector organisations.


CNWL is a research organisation. The Trust processes personal information for research purposes under the public interest.

Safeguards apply widely to research with personal data. They include obtaining Research Ethics Committee approval, only processing personal data that’s necessary (‘data minimisation’) and ensuring the data cannot be linked to you (‘anonymising’ or ‘pseudonymising’ the information).

Confidential patient information provides numerous benefits. It is used in research to find cures and better treatments for diseases like diabetes and cancer.

The national data opt-out (see below) is a new service that allows people to opt out of their confidential patient information being used for research and planning.

You can opt-out on the NHS website.

National Data Opt-Out

In line with the recommendations made by the National Data Guardian in her ‘Review of Data Security, Consent and Opt-outs’, the national data opt-out was introduced for the health and social care system on 25 May 2018. This to give patients and the public more control over how their confidential patient information is used for research and planning purposes.

What is the National Data Opt-Out?

It is a service that enables the public to opt out of their confidential patient information being used for purposes beyond their individual care and treatment – specifically research and planning. The public can change their national data opt-out choice at any time.

Who needs to comply with the National Data Opt-Out Policy?

The national data opt-out applies to data for patients where their care is provided in England by a publicly funded organisation or the care has been arranged by a public body such as the NHS or a Local Authority.  It does not apply to data related to private patients at private providers.

In summary, the national data opt-out applies to:

  • all NHS organisations (including private patients treated within such organisations),
  • all Local Authorities providing publicly funded care,
  • adult social care providers where the care provided is funded or arranged by a public body, and
  • private or charitable healthcare providers providing NHS funded treatment or arranged care.

Which data disclosures do national data opt-outs apply to?

National data opt-outs apply to a disclosure when an organisation, e.g. a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation responsible for the data (the data controller) such as an NHS Trust.

Simply, National data opt-outs apply in cases where the approval is subject to the Confidentiality Advisory Group (CAG) ‘standard condition’ that 'the wishes of patients who have withheld or withdrawn their consent are respected'(e.g. their opt-out)

The CAG approval is also known as a section 251 approval and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002.  The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.

In practice, this means that the organisation responsible for the information (the data controller) can, if they wish, disclose the information to the data applicant, e.g. research body, without being in breach of the common law duty of confidentiality.  

National data opt-outs do not apply where:

  • information being disclosed is anonymised in accordance with the Information Commissioner’s Office’s anonymisation code of practice,
  • the individual has given their consent for their information to be used for a particular purpose, e.g. a specific research study,
  • there is an overriding public interest in the disclosure, i.e. the public interest in disclosing the data overrides the public interest in maintaining confidentiality, also referred to as the ‘public interest test’, and
  • there is a legal requirement that sets aside the common law duty of confidentiality or the information is required by a court order.

In these scenarios above, section 251 approvals would not have been sought.

What will the CNWL do?

The Trust will put processes in place to assess any current or future uses of confidential patient information prior to disclosure to consider and apply national data opt-outs where necessary in accordance with national data opt-out operational policy.  These will be included in Trust policies and procedures and disseminated to staff.  The Trust will also update its patient’s privacy notice with a national data opt-out compliance statement.

In addition to routine correspondence relating to treatment and appointments, your contact details (including address, phone number or email address) may also be used to contact you by email, post, SMS or an interactive voice phone call, to obtain feedback on your experience in using Trust services including, but not limited to, the NHS Friends and Family Test (FFT).

You will be able to opt-out of participating in the FFT, or any other survey when you are first contacted. The lawful basis for using your information for this purpose is that it falls within our official authority as a health service provider as we have a contractual obligation to run the FFT.

In addition, we have a statutory duty under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to assess and monitor the quality of the experience of service users. Your responses to the FFT is anonymous and can not be traced back to you. Responses to other surveys will be also be anonymous unless it is made clear to you that this is not the case, when we will only proceed with your specific consent.

When determining how long we keep your information, we consider any legal requirements, the expectations of the data protection regulator and the amount of time we need to hold your personal information to provide safe clinical care.

The Record Management Code of Practice for Health and Social Care 2021 sets out what people working at CNWL need to do to manage records correctly. We follow a retention schedule which makes sure that information we no longer need is destroyed.

Cookies are small text files that are held on your computer. We use cookies to gather information to help us improve the website. We have a dedicated Cookies Policy for inspection.

Store personal data – data will only be held for as long as it's required and for the reason it was collected. After this it will be stored in line with the Records Management Code of Practice for Health and Social Care 2016 and be disposed of securely after this time.

Keep data secure and confidential – the Trust must ensure that your personal data is kept secure at all times. This includes technical security such as firewalls and anti-virus software, along with physical security to protect against theft or loss of data, either on computer systems or paper-based. We also carry out Data Protection Impact Assessments (DPIAs) where required, to identify and minimise data protection risks. A DPIA may be made available on request by completing this form (opens link)

Pass on your data – we may need to provide your personal information to another organisation to comply with our legal obligations, to carry out a public task, or for reasons of public interest. We may also need to share your information if this is within your best interests, for example, if you require urgent care or there are safeguarding concerns.  

Reporting data breaches – The GDPR states that organisations must have suitable controls in place to detect personal breaches as well as reporting them to a relevant authority within 72 hours, if they are deemed to be of a significant risk. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the Trust will inform those individuals without undue delay. CNWL has a robust breach detection, investigation and internal reporting procedures in place to ensure your data is kept safe.

You have certain rights over your personal information. These include:

  • A right to access a copy of your personal information
  • A right to object to the way we use your personal information as described above.

And in certain circumstances:

  • A right to ask for your personal information to be corrected and updated
  • A right to ask for your personal information to be destroyed
  • A right to restrict CNWL in how we can use your personal information

We may have to confirm your identity and for further requests for the same information, a reasonable fee may be charged to cover CNWL administration costs where the request is deemed to be 'manifestly unfounded' or ‘excessive ' under the Access to Health Records Act 1990.

If you request to have your records amended, and we are unable to make the amendment, we will attach a statement of your views to your records.

For concerns about your information rights, contact our Data Protection Officer via

You have a right to ask CNWL if we have your personal information. If we do, you have a right to know:

  • Why we have it
  • What type of information we possess
  • Whether we have or will send it to others, especially outside the European Economic Area
  • How long we will keep it
  • Where we got it from
  • Details of any automated decision-making.

Right of access

You have a right to access any personal information we hold on you- this is called a Subject Access Request (SAR). Please complete the form online (opens link)

Alternatively, the Trust may attempt to remove (or edit out) the other individual’s information before sending your information to you. This is commonly known as ‘redaction’. This could mean you only receive partial information – such as copies of documents showing blanked-out text or missing sections.

This process can take time, but we will normally respond to you within one calendar month from the date of the request. This can be extended by up to a further two months, considering the complexity and number of requests

Right to be informed

You have the right to be informed about the collection and use of your personal data. This is a key transparency requirement under the Data Protection Act 2018.


You have the right to require us to rectify information about you that is factually inaccurate, and you may also ask us to remove information which is factually inaccurate or to complete information which is incomplete. To do this, you will need to email for a form.

Right to object

You have the right to object to the processing of your data based on legitimate interests or performance of a task in the public interest. The right to object is not absolute in relation to processing for legitimate interests and research purposes.

Right to be forgotten

You have a right to seek the erasure of your data. You may wish to exercise this right for any reason. This right is not absolute, as we may need to continue processing this information, for example, to comply with our legal obligations, or for reasons of public interest.

Right to withdraw

If we rely on consent as the legal basis for processing your data. However, we often rely on different legal bases for different aspects of processing. This means that we may not be able to act on your request if we have a compelling legal reason not to. Please email the services that collected your consent if you wish to withdraw.


You have a right to obtain your personal data from us and reuse it for your own purposes, perhaps for another service, without hindering the usability of the data.


You might also be entitled to ask us to restrict our use of your information — for example if you think the information we hold about you is incorrect.

We do not use systems to make healthcare decisions solely by automated means without any human involvement.

Should CNWL ever look to use automated decision-making systems we will seek your consent and revise this privacy notice. We will always allow you to contest the decision, give your views and make sure there’s proper human involvement.

Should CNWL ever look to seek your consent to use your information, you have the right to withdraw that consent at any time.

We hope you have found this privacy policy easy to understand. We also have a Patient Information Leaflet.

For specific privacy information for Occupational Health, please visit their privacy notice.

You can find more detailed information about your data protection rights on the ICO website.

Staff, volunteers and job applicants should use the Accessing personnel records – guidance for staff form to obtain access to the information the Trust holds on you.

Also, if you are not a patient or Service User you will need to email

If you still have any concerns about the way we have handled your data or are not happy with the Trust’s response to any data protection concern you have raised, you are entitled to contact the Information Commissioner’s Office as below.

The Information Commissioner's Office
Wycliffe House
Water Lane

Telephone number: 0303 123 1113


This Processing Special Category Data – Appropriate policy explains how Central and North West London NHS Foundation Trust (CNWL) uses and protects the information you provide to us in accordance with the Data Protection Act (DPA) 2018. It outlines the legal basis for which we process special category data.

The General Data Protection Regulation requires the Trust to manage all personal information in accordance with significant principles. In particular, we are required to process your personal information fairly and lawfully. This means that you are entitled to know how we use your information and your information will be held by Central and North West London NHS Foundation Trust (CNWL).

This policy demonstrates that the processing of special category data based on DPA Schedule 1 conditions, is compliant with the requirements of the General Data Protection Regulation (GDPR) Article 5 principles and it complements the Trust’s record of processing activity and accountability framework.