We aim to provide you with the best possible care. In order to do this we must keep records. These may include:

  • Basic details about you such as address, date of birth, ethnicity, NHS number and next of kin
  • Contact we have had with you such as clinical visits
  • Notes and reports about your health
  • Results of investigations such as laboratory tests and X-rays
  • Relevant information including information from people who care for you and know you well, such as health professionals and relatives.

Information is recorded on paper and computer systems.

Core healthcare records are kept in computer form within secure and approved database systems. These systems meet strict security standards and cannot be accessed by anyone without permission. We continue to keep paper records for some purposes and they are stored securely.

Everyone working for the NHS has a legal duty to maintain the highest level of confidentiality.

We need it to ensure that:

  • You receive the best possible care.
  • Doctors, nurses or other healthcare professionals involved in your care have accurate information to assess your health and future care needs.
  • Full information is available should you see another doctor, or be referred to a specialist or another part of the NHS.
  • There is a good basis for assessing the type and quality of care you have received.
  • Your concerns can be properly investigated if you need to complain.


  • Clerical staff, receptionists and secretarial staff will need to use information in your records to carry out administrative tasks, such as booking appointments and communicating with you and other parts of the NHS. (For instance, we may use your mobile phone details to provide a text messaging reminder service to notify you in advance of your appointment).

NHS staff who provide care should always:

  • Discuss and agree with you what they are going to record about you
  • Give you a copy of letters they are writing about you, if you ask
  • Show you what they have recorded about you, if you ask
  • Ask for your consent to share information with other healthcare professionals

The health professionals who care for you use your records to:

  • Provide a good basis for all health decisions made by you and healthcare professionals
  • Make sure your care is safe and effective
  • Work effectively with others providing your care

We may also need to use records about you to:

  • Assess the quality of care you receive through clinical audits
  • Help investigate any concerns or complaints you or your family have about your healthcare
  • Make sure our services can meet patient needs in the future
  • Teach and train health professionals
  • Fund, develop and plan our services to you
  • Protect the health of the general public

The Trust uses mainly electronic care records to store information about patients, called SystmOne. In sexual health services we moved to  moved to a system called Cellma in December 2014.

Within the Trust we operate a ‘need to know’ policy. Your information will only be seen by those who need to see it and they will only be given access to the minimum information required.

If care is provided by other agencies such as social services we will share information with them inasfar as it supports your care. If you are involved with other agencies for non-health reasons (such as housing, for instance) we will only share information with your permission.

Today, health and social care is delivered by different organisations that work separately. Organisational boundaries can make it more difficult for professionals to work together to provide the kind of high quality, joined up support that people expect and want. In London and nationally there are several programmes to make sure that your records are shared among all organisations providing care to you. If you don’t want your records to be shared via these programmes you can withhold your consent.

We will never share information with your friends, colleagues or neighbours without your consent and we will not pass on information to your family if you do not want us to.

If your welfare is at risk we will share information in order to help you. We will also share relevant information if we are legally required to do so.

Our services are regularly inspected by the Care Quality Commission, who have the responsibility to assess the quality of our services, and as part of that process the CQC may request access to your clinical records.

We have a responsibility to:

Store personal data – data will only be held for as long as its required and for the reason it was collected. After this it will be stored in line with the Records Management Code of Practice for Health and Social Care 2016 and be disposed of securely after this time.

Keep data secure and confidential – The Trust must ensure that your personal data is kept secure at all times. This includes technical security such as firewalls and anti-virus software, along with physical security to protect against theft or loss of data, either on computer systems or paper-based.

Pass on your data – we may need to provide your personal information to another organisation to comply with our legal obligations, to carry out a public task, or for reasons of public interest. We may also need to share your information if this is within your best interests, for example, if you require urgent care or there are safeguarding concerns.  

Reporting data breaches – The GDPR states that organisations must have suitable controls in place to detect personal breaches as well as reporting them to a relevant authority within 72 hours, if they are deemed to be of a significant risk. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the Trust will inform those individuals without undue delay. CNWL has a robust breach detection, investigation and internal reporting procedures in place to ensure your data is kept safe.

As a Data Subject, you have certain rights in relation to the data we hold about you. These are listed below:

Right of access - You have a right to access any personal information we hold on you- this is called a Subject Access Request (SAR). Please complete the Request access to your health records application in full and send it, along with acceptable proof of identity (as listed on the form), to  healthrecords.cnwl@nhs.net.

Right to be informed - You have the right to be informed about the collection and use of your personal data. This is a key transparency requirement under the Data Protection Act 2018.

Right to object - You have the right to object to the processing of your data based on legitimate interests or performance of a task in the public interest. The right to object is not absolute in relation to processing for legitimate interests and research purposes.

Right to rectification - You have the right to require us to rectify information about you that is factually inaccurate, and you may also ask us to remove information which is factually inaccurate or to complete information which is incomplete. To do this, you will need to complete and return the form at the following link.

Right of portability - You have a right to obtain your personal data from us and reuse it for your own purposes, perhaps for another service, without hindering the usability of the data.

Right to be forgotten - You have a right to seek the erasure of your data. You may wish to exercise this right for any reason. This right is not absolute, as we may need to continue processing this information, for example, to comply with our legal obligations, or for reasons of public interest.

Right to withdraw – You have the right to withdraw if we rely on consent as the legal basis for processing your data. However we often rely on different legal bases for different aspects of processing. This means that we may not be able to act on your request if we have a compelling legal reason not to. Please email the services that collected your consent if you wish to withdraw.

You can find more detailed information about your data protection rights on the ICO website, via the following link. If you are unhappy with how we've used your data please let us know by emailing cnwl.dpo@nhs.net  . However, if you are still unhappy after we have responded, you have the right to complain to the ICO.

You have the legal right to see the information we hold about you under the Data Protection Act (2018).

If you are a patient and require a copy of your health records, please complete the Request access to your health records online application in full and send it, along with acceptable proof of identity (as listed on the form), to healthrecords.cnwl@nhs.net.

Staff, volunteers and job applicants should use the Accessing personnel records – guidance for staff form to obtain access to the information the Trust holds on you.

Also, if you are not a patient or Service User you will need to complete the Subject Access Request application to obtain the access.

On receipt of your completed request, and proof of identity, we will commence the process of dealing with your request. This process can take time, but we will normally respond to you within one calendar month from the date of the request. This can be extended by up to a further two months, taking into account the complexity and number of requests.

Before health records can be viewed or released there are a number of processes that we are legally obliged to follow under the Data Protection (Subject Access Modification) (Health) Order 2000.


CNWL may withhold some, or all, of your personal information because of an exemption in data protection law. Exemptions are meant to protect particular types of information, or how certain organisations work.

CNWL may also refuse to give you your information if it also includes personal information about someone else, except where:

•the other individual has agreed to the disclosure; or

•it is reasonable to give you this information without the other individual’s consent.

Alternatively, the Trust may attempt to remove (or edit out) the other individual’s information before sending your information to you. This is commonly known as ‘redaction’. This could mean you only receive partial information – such as copies of documents showing blanked-out text or missing sections.

Possible charges

Under GDPR legislation there are no fees for the first request. We usually provide this to you electronically, via secure email. Making paper copies costs the Trust in staff time, printing and postage, and we want to avoid costs where possible.

For further requests for the same information, a reasonable fee may be charged to cover CNWL administration costs.

A reasonable fee can also be charged where the request is deemed to be 'manifestly unfounded' or ‘excessive ' under the Access to Health Records Act 1990.

How do I complain about the contents of my records?

If you think that your current records contain inaccurate information, you should contact the health professional treating you and ask for it to be amended. You will need to complete and submit the form in the linked below:

Apply to have information amended or removed from your health record

If you request to have your records amended, and we are unable to make the amendment, we will attach a statement of your views to your records.

If you have a complaint about the way your data has been handled, you can:

If you still have any concerns about the way we have handled your data or are not happy with the Trust’s response to any data protection concern you have raised, you are entitled to contact the Information Commissioner’s Office as below.

The Information Commissioner's Office
Wycliffe House
Water Lane

0303 123 1113

More information

If you need more information or have any questions, please contact the Information Governance Team on email  healthrecords.cnwl@nhs.net.

How to access non-medical records

Please complete this online form and email a copy of an acceptable proof of identity (described on the form).