Privacy and your data (privacy notice)

Download this page as a PDF.

This privacy notice tells you what to expect when we collect your personal information.

Tavistock and Portman NHS Foundation Trust uses personal and confidential information for a number of purposes. This Privacy Notice provides a summary of how we use your information. To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we need your data
  • How it will be used and
  • Who it will be shared with

Why we need your data

The Tavistock and Portman NHS Foundation Trust has a legitimate right to process your information as part of exercising it official authority; this covers public functions and powers that are set out in law; or to perform a specific task in the public interest that is set out in law.

How it will be used

Information collected by the Tavistock and Portman NHS Foundation Trust is used to:

  • Improve the content and design of the website
  • To provide general administration of the services we provide
  • We may also use your personal information (for internal purpose only) as a research tool to: obtain feedback with a view to developing more relevant content and services; general service Improvement; and measure resource usage via statistical analysis.

Information used in this way is completely anonymised.

  • Contact visitors (with their permission)

We will never share your information with other organisations for marketing, market research or commercial purpose. We don’t pass on your personal information to any other website.

Who it will be shared with

The personal information you provide to the Tavistock and Portman NHS Foundation Trust is used for internal purposes. It can only be viewed by staff with legitimate reason to view such information from our clinical systems by clinical and admin staff, student systems by administration staff and library systems by library staff.

We may have to share information about you with non-NHS staff (for example Social Services): we will only do this if it is necessary, and if we need your consent we will ask you for it. The main NHS organisations which may need your information are Clinical Commissioning Groups, Commissioning Support Units, NHS England, NHS Improvement other NHS trusts, GP practices, Department of Education, Partner Universities etc. If we have to share information about you, we will remove your personal details where possible.

We may arrange for external companies to type dictated correspondence. This typing may be done overseas. Your name and address is not added until the typed correspondence has been returned to us, so it is not possible for anyone outside the Trust to identify you.

In addition, information may be used for approved research projects. In most instances the information will be made anonymous so that you cannot be identified. If this is not possible, we will ask your permission or request approval from the Health Research Authority's Confidentiality Advisory Group.

Should you not wish information about you to be used for research please speak to your clinical team who are treating you.

The law determines how we can use personal information. The Key laws are: The General Data Protection Regulation (GDPR), the Human Rights Acts 1998 (HRA), relevant health service legislation, and the common law duty of confidentiality.

The Tavistock and Portman NHS Foundation Trust is the “Data Controller” for the purpose of the GDPR, and where we direct or commission the processing of patient, students, staff and  visitors data to help deliver healthcare, or assist the management of healthcare services, students services, staff services and any other responsibility in the delivery of our corporate services.

Tavistock and Portman NHS Foundation Trust is a “Joint Controller” for the purpose of GDPR, where two or more controllers determine the purposed and means of processing. As a Joint Controller with another controller, together we determine respective responsibilities for legal compliance and the rights of the data subject in a transparent manner.

Tavistock and Portman NHS Foundation Trust is the “Data Processor” for the purpose of the GDPR and where we process data on behalf of Controllers and under controller’s instruction governed by a contract or other legal act under the EU or national law that is binding on us a processor.


We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes.  For example, we might use information about patients to carry out a survey to find out if they are happy with the level of service they received.

The Trust has a national and international reputation for its healthcare and teaching.  Quality checks may be undertaken by our own staff from time to time. In order to be sure that we are providing a good service to our users, we provide information on how we are performing to regulators, such as the Care Quality Commission, but in most cases, this information is facts and figures and does not contain information about individuals.

The retention period of our records from discharge, or when the patient was last seen, is either 20 years or 8 years after the patient has died. The records will then be reviewed, and if they are no longer needed they will be destroyed.


The details of people who are enrolled on a course of study and following completion of the programme of study, for the requisite period of time as set out in the Trust’s retention schedule.  

A list of the third parties to whom the Trust may disclose personal data of students, including sensitive personal data, is given below:

Local Authorities – in order to administer exemptions of properties from council tax a student’s personal data will be shared with the relevant local authority from which the exemption is being sought.

Higher Education Statistics Agency (HESA) and HE funding councils – students’ personal data will be provided to HE funding councils and HESA. Further details about the data shared with HESA can be found in the HESA-Student collection notice on the HESA website.

Higher Education Academy – the Trust is required to pass data to the Higher Education Academy as part of participation in the Post-Graduate Research Experience Survey.   This survey gives students the chance to give feedback on their experiences at the Trust and so informing the choices of prospective students. It is described in detail on the Higher Education Academy website.

The Trust will pass your name and contact details to the agent carrying out the survey. The agent may then contact you to take part. You do not have to take part in the survey and you can opt-out at any time by contacting the agent and providing them with verification of your identity by confirming your date of birth.

Higher Education (HE) institutions – where students are involved in award programmes validated by a university partner organisation, the Trust may disclose their personal data for general educational and assessment purposes. 

Sponsors, loan organisations and scholarship schemes – personal data about students may be disclosed to third parties attempting to recover debt on behalf of the Trust where internal procedures have failed.

Parents, guardians and other relatives – the Trust will not disclose a student's personal data to parents, guardians or any other relative. If a student has provided a nominated contact in the event of a medical problem or emergency then some personal data may be provided.

Published information – examination results and any award (such as a degree) made by the Trust and university partner organisation is a matter of public record, rather than personal data, and as such will be publicly available and publicised at, for instance, graduation ceremonies. 

Photographs of students during the course of their study may also be taken. If students do not wish to be photographed, they can absent themselves from any such situation. The Trust will assume the consent of individuals pictured in groups for use in Trust publications and publicity materials, and publications produced by third parties authorised by the Trust. Attendance at graduation ceremonies will convey the permission by the attendees that photographs and recordings taken one the day may be publicised on the Trust’s and university partner organisations’ website.

Expert Reference Groups and wider Consultation Groups

Our Expert Reference Groups and wider consultation groups represent individuals who have (for example) expertise, knowledge, previous work, or professional association, but may also have representatives from professional bodies, professional organisation, educational institutions charities and other organisations who may have a stake and interest in the Trust’s projects. The details of people registering for membership of the Expert Reference Group and Consultation Groups are held in the same manner as for students and patients. We hold the personal details of people who are members of the Expert Reference Group or the wider Consultation Groups to inform the development and implementation of our projects’ outputs. Peoples’ details will not be shared with any third party, unless with the express permission of the subject.

Conference Attendees

The details of people registering for attendance at one of our Conference or externally-advertised events are held in the same manner as for students.  Peoples’ details may be used for future marketing purposes but will not be shared with any third party, unless with the express permission of the subject.


Sometimes, individuals may be invited to take part in research. However, the Trust does not release information on patients or students without getting their approval first.

Exceptional circumstances

Except in exceptional circumstances personal data will never be disclosed to third parties.  Exceptional circumstances could include:

  • protecting the vital interests of the data subject (i.e. release of medical data where failure to release the data would result in harm to, or the death of, the data subject) 
  • preventing serious harm to a third party that would occur if the data were not disclosed 
  • safeguarding national security 
  • prevention or detection of crime 
  • apprehension or prosecution of offenders 
  • assessment or collection of any tax or duty or of any imposition of a similar nature 
  • discharge of regulatory functions, including securing the health, safety and welfare of persons at work 

Your Information

This part of the Privacy Notice outlines what personal information we hold, why we use it and how we protect it.

What types of personal data do we handle?

We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts and records, promote our services, and to support and manage our employees. We also process personal information about health care professionals that deliver services throughout the NHS.

We also use information to support and monitor the health services commissioned in England to enable the delivery of high quality healthcare.

  • The types of personal information we use include:
  • personal details such as names, addresses, telephone numbers
  • family details for example next of kin details
  • education, training, mostly frequently of students, lecturers, staff such as
  • employment details, for example for those that work for us either directly or are commissioned by us to provide a service
  • financial details, where we provide payment for services or access to funds for individual patients
  • services, for example details of the services access or offered by providers
  • lifestyle and social circumstances
  • visual images, personal appearance and behaviour, for example if CCTV images are used as part of building security
  • details held in the patient’s record, where we hold or manage the patient’s record
  • responses to surveys, where individuals have responded to surveys about healthcare issues
We also process sensitive classes of information that may include:

  • racial and ethnic origin
  • offences (including alleged offences), criminal proceedings, outcomes and sentences
  • trade union membership
  • religious or similar beliefs
  • employment tribunal applications, complaints, accidents, and incident details

This information will generally relate to our staff, covered by the Privacy Notice for Staff, or for those health care professionals we manage.

In terms of patient information, information may include:

  • physical or mental health details
  • sexual life
  • offences (including alleged offences), criminal proceedings, outcomes and sentences
  • trade union membership
  • religious or similar beliefs
  • employment tribunal applications, complaints, accidents, and incident details

This information will generally relate to our staff, covered by the Privacy Notice for Staff, or for those health care professionals we manage.

In terms of patient information, information may include:

  • physical or mental health details
  • sexual life

How will we use information about you?

Your information is used to run and improve Tavistock and Portman NHS Foundation Trust. It may be used to:

  • Check and report on how effective Trust and the services it commissions has been
  • Ensure that money is used properly to pay for the services it provides
  • Investigate complaints, legal claims or important incidents
  • Make sure that the Trust gives value for money
  • Make sure services are planned to meet patients’ needs in the future
  • Review the care given to make sure it is of the highest possible standard
  • To manage specialised services that we commission.
We may keep your information in written form or on a computer. Whenever possible all information that identifies you will be removed.

Communicating via text or email

Consent will be sought and can be withdraw at any time without it having any effect on the quality of the care we provide.

Sharing your information

There are a number of reasons why we share information. This can be due to:

  • Our obligations to comply with current legislation
  • Our duty to comply with a Court Order
  • You have consented to disclosure

Tavistock and Portman NHS Foundation Trust is responsible for protecting the public funds it manages. To do this we may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public

Security of your information

We take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

We have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a ‘Caldicott Guardian’ who is responsible for the management of patient information and patient confidentiality. Deputy SIROs have also been appointed in an Information and Security Governance Manager and DPO who is responsible for Staff, Students, Patients and corporate data.

All staff are required to undertake annual information governance (Data Security and Protection training and are provided with an information governance awareness at induction to understand their responsibilities and agree to adhere to. The staff are aware of their information governance responsibilities and follow best practice guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.

Everyone working for the NHS is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

Retaining information

We will only retain information for as long as necessary. Records are maintained in line with the Trust retention schedule which determines the length of time records should be kept.

How can you get access to your personal information?

The GDPR gives you the right to see the information that Tavistock and Portman NHS Foundation Trust holds about you and why. Requests must be made in writing and you will need to provide:

  • adequate information [for example full name, address, date of birth, NHS number, etc.] so that your identity can be verified and your information located.
  • an indication of what information you are requesting to enable us to locate this in an efficient manner.

A request for information that we hold about you has to be made with the appropriate data controller, this will be us if we are the relevant data controller.

Under GDPR we have to provide such information free of charge, however, where a fee is applicable under the terms of the GDPR and subsequent legislation, we will inform you in writing. In due course our disbursement scheme (which outlines these fees) will be available.

We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within 30 days of receipt unless there is a reason for delay that is justifiable under the Data Protection Legislation (GDPR).

We want to make sure that your personal information is accurate and up to date. If you think any information is inaccurate or incorrect then please let us know.



The Trust is committed to the privacy of individuals using this website. This privacy statement discloses the privacy practices for and its subdomains.

Some features of this website, for example our contact forms, collect personal information submitted by users.  Any information submitted will be kept in the strictest confidence and will never be passed on to a third party, unless there is a legal obligation on us to do so.


We strive to offer accurate and up to date web content. However, the ever-changing nature of healthcare means that inaccuracies are sometimes unavoidable. Whilst we welcome feedback to correct errors, responsibility for the use of any information found here lies solely with the user. You also assume the risk of computer viruses, worms, Trojan horses and other destructive code by downloading files from this website. To report an error or inaccuracy please contact


The Trust is not responsible for the content or reliability of linked websites and does not necessarily endorse the views expressed within them. Listing should not be taken as endorsement of any kind.  While we endeavour to keep all links up to date we cannot guarantee that these links will work all of the time and we have no control over the availability of linked pages. To report a broken or dead link please contact


We cannot guarantee uninterrupted access to this website or the sites to which it links. We accept no responsibility for any damages arising from the loss of access to information.


Different copyright restrictions apply to individual documents on this website. Unless otherwise stated, the following copyright statement applies to content found on this site:

The Trust reserves its right to retain its intellectual property.  Visitors to this website are welcome to access this copyright material and view for any purpose, or to download onto electronic, magnetic, optical or similar storage media provided that such activities are for personal use or private research.  Content downloaded from this website may not be used for income generating activity without prior consent from the Tavistock and Portman NHS Foundation Trust Communications team. 


Cookies are small files that are placed on your computer or mobile device by websites that you visit.  Our cookies help us:

·       Make our website work as you would expect

·       Remember your settings during and between visits

·       Improve the speed/security of the site

·       Allow you to share pages with social networks like Facebook, LinkedIn and Twitter

·       Continuously improve our website for you

·       Make our marketing more efficient

We do not use cookies to:

·       Collect any personally identifiable information

·       Collect any sensitive information

·       Pass data to advertising networks

·       Pass personally identifiable data to third parties

Most web browsers allow some control of cookies.  To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit

To opt out of being tracked by Google Analytics across all websites visit

The cookie we use on this site include:

Google Analytics (_utma, _utmb, _utmc, _utmz): These cookies are used to collect information about how visitors use our site.  We use the information to compile reports and to help us improve the site.  The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.  It is not possible to identify or gather individual’s personal information through the collection of these cookies.

We occasionally use our records of the pages users have visited on this website to analyse trends, administer the site and track users’ movements.  Our records do not contain any personal information about users.

Changing your cookie settings in your browser

To control the way your device manages cookies, go to your browser settings.  The links below are designed to help but are not exhaustive:

    Changing cookie settings in Firefox

    Changing cookie settings in Internet Explorer

    Changing cookie settings in Google Chrome

    Changing cookie settings in Safari (OS X)

    Changing cookie settings in Safari (iOS)

    Changing cookie settings in Android

Notification of changes

If we alter any of the above, we will post notification of the changes on our homepage.

Changes to our privacy notice

We keep our Privacy Notice under regular review and we will place any updates on this webpage.

Data Protection Notification

Tavistock and Portman NHS Foundation Trust is a ‘data controller’ under the GDPR. We have notified the Information Commissioner that we process personal data and the details are publicly available from:

Information Commissioner’s Office
Wycliffe House
Water Lane
SK9 5AF 

How to contact us

Please contact us if you have any questions about our privacy notice or information we hold about you:

Tavistock Centre,
120 Belsize Lane
Tel: 020 7435 7111
Email for subject access requests:
Email for freedom of information requests:

Make a complaint

Submit a complaint using our online form.

Contact our Data Protection Officer

Contact Janice Abraham by emailing