How your personal information is used by Central and North West London NHS Foundation Trust.

Please read this privacy notice to understand how we use and protect the information that patients, like you, provide to us.

We value your privacy and want to be clear about the data we collect, how we use it and your rights to control that information, which is why we've updated this privacy notice.

Your information will be held by Central and North West London NHS Foundation Trust (CNWL).

The General Data Protection Regulation requires us to manage all personal information in accordance with the some important principles. In particular, we are required to process your personal information fairly and lawfully. This means that you are entitled to know how we use your information.

Notice applicable as of 25 May 2018.

We are Central and North West London NHS Foundation Trust (CNWL).

CNWL are committed to providing excellent integrated patient care.  We are a large and diverse organisation, providing healthcare services for people with a wide range of physical and mental health needs.

We employ approximately 7,000 staff to provide more than 300 different health services across 150 sites and other services in community settings.  Our services cover:

  • Common physical health problems
  • Long-term conditions
  • Mental health difficulties
  • Learning disabilities
  • Eating disorders
  • Addictions
  • Sexual health.

We want you to have confidence in the way we handle your information when you use our services.

We will manage your personal information fairly, lawfully and transparently. This means you’ll know how we use your information and we’ll tell you about your rights too.

We want to make sure that you have confidence in CNWL and feel comfortable about giving us your information. Safely looking after your information is a key part of our relationship with you.

We have appointed a Data Protection Officer (known as a ‘DPO’) and a dedicated team that looks after data privacy rights.

You can contact our the team by emailing:

When you use our services we will record relevant personal and clinical information you provide to us. We may also receive relevant information about you from different people such as a parent, guardian or representative you have appointed.

We will only share your clinical health information with NHS care professionals and other care providers involved in your care when it is appropriate, fair and lawful to do so. Other clinical providers and partners involved in your care may share with us your information.

We will collect and share personal information that is relevant to your care. We will meet our obligations to you under the General Data Protection Regulations and Health and Social Care Act 2012, which include:

  • Providing your healthcare
  • Working with other agencies and partners involved in your healthcare
  • Telling you about CNWL services
  • Updating, consolidating and improving the accuracy of our records
  • Maintaing and improving our health services
  • Responding to your enquiries and complaints
  • Managing your relationship with us
  • Assisting regulatory authorities with their functions
  • Safeguarding
  • Crime detection, prevention and prosecution.

Medical care

We obtain, record, share and use your information as part of CNWL’s responsibility to provide your medical care. This includes:

  • Healthcare provision
  • Diagnosis
  • Treatment
  • Social care
  • Management of our care record systems
  • Maintaining and improving health services.

Our healthcare professionals and employees are under obligation maintain professional secrecy and are required to maintain confidentiality as part of their employment contract. Everyone working for CNWL is subject to the common law duty of confidentiality.

Protection of life and vital interests

CNWL may use your information to protect you or someone else’s life when this is absolutely necessary.

Legal obligations

 Sometimes we are required by law to pass on certain information about you. Legal obligations to share information include:

  • Notifying officials of infectious diseases which present significant risk to human health and the wider public under the Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010
  • Where a court orders us to share your information
  • When it’s required by us or others to detect, investigate or prevent serious crime.
  • Assisting third parties with regulatory responsibilities such as the Care Quality Commission and Information Commissioner’s Office.

National Fraud Initiative (NFI)

We are required by law to protect the public funds we administer. We may share information provided with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.  The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office's National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. Please see this guidance.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the General Data Protection Regulation (GDPR).  For further information on the reasons why it matches particular information, see this guidance.

For further information on data matching at the Central and West London NHS Foundation Trust please contact Kate Harrington Stillwell, Local Counter Fraud Specialist, by emailing  Further information on how the NFI has assisted the NHS and other public sector organisations can also be found here


CNWL is a research organisation. The Trust processes personal information for research purposes under the public interest.

Safeguards apply widely to research with personal data. They include obtaining Research Ethics Committee approval, only processing personal data that’s necessary (‘data minimisation’) and ensuring the data cannot be linked to you (‘anonymising’ or ‘pseudonymising’ the information).

Confidential patient information provides numerous benefits. It is used in research to find cures and better treatments for diseases like diabetes and cancer.

The national data opt-out is a new service that allows people to opt out of their confidential patient information being used for research and planning.

You can opt-out here.

When determining how long we keep your information, we take into account any legal requirements, the expectations of the data protection regulator and the amount of time we need to hold your personal information to provide safe clinical care.

The Records Management Code of Practice for Health and Social Care 2016 sets out what people working at CNWL need to do to manage records correctly. We follow a retention schedule which makes sure that information we no longer need is destroyed.

Cookies are small text files that are held on your computer. We use cookies to gather information to help us improve the website. We have a dedicated Cookies Policy for inspection.

You have certain rights over your personal information. These include:

  • A right to access a copy of your personal information
  • A right to object to the way we use your personal information as described above.

And in certain circumstances:

  • A right to ask for your personal information to be corrected and updated
  • A right to ask for your personal information to be destroyed
  • A right to restrict CNWL in how we can use your personal information

We may have to confirm your identity and in some circumstances need payment from you.

You have a right to ask CNWL if we have your personal information. If we do, you have a right to know:

  • Why we have it
  • What type of information we possess
  • Whether we have or will send it to others, especially outside the European Economic Area
  • How long we will keep it
  • Where we got it from
  • Details of any automated decision-making.

If you want, you can ask for a copy of your information. It may help you to use this form.

Where any of your information is incorrect, you have a right to tell us to correct it promptly.

In certain circumstances, you may have other extra rights:

Right to object

Depending on the legal basis for which we are using your information, you may be entitled to object. We will always balance your rights with those of CNWL’s responsibilities and obligations.

Erasure (right to be forgotten)

You may have a right to have some or all of the information we hold about you deleted. However you should be aware that, as a healthcare provider, we are required to retain many records even after your treatment has finished at this Trust.


In certain circumstances you would be entitled to receive some of your information from us electronically. We can either pass the information to you, or to another person or business if you want.


You might also be entitled to ask us to restrict our use of your information — for example if you think the information we hold about you is incorrect.

We do not use systems to make healthcare decisions solely by automated means without any human involvement.

Should CNWL ever look to use automated decision-making systems we will seek your consent and revise this privacy notice. We will always allow you to contest the decision, give your views and make sure there’s proper human involvement.

Should CNWL ever look to seek your consent to use your information, you have the right to withdraw that consent at any time.

A Data Protection Impact Assessment is a methodology the Trust employs to comprehensively analyse data processing activity and help identify and minimise data protection risks.

The General Data Protection Regulation is important. It strengthens data protection rules and enhances your information rights but rules are still grounded in common sense. CNWL will continue make changes to the privacy policy as part of our commitment to protecting your privacy and affording you even more transparency.

We hope you have found this privacy policy easy to understand. We also have a patient information leaflet (opens PDF).

For specific privacy information for Occupational Health, please visit their privacy notice.