Your privacy

This notice tells you why we collect information about you and how you can expect us to use it. 

You can select any of the links below to go straight to that section.

What is personal information?

Personal information is any data that directly or indirectly identifies you. Directly means the data on its own, and indirectly means when combined with other data.  For example, your age on its own wont identify you, but when combined with, say, your school, ethnicity or religion, it may be possible to identify you.

Is my information safe?

Our patient records are held electronically and securely.

Only staff who are involved in your care can access your records, using secure access methods.  We know who has looked at your records and who has made any changes.  We only process the minimum personal data needed and we only hold it for as long as necessary.

Our staff are subject to a duty of confidentiality and must complete information security and data protection training.   

Our security controls protect your confidentiality and ensure that relevant and reliable information is always available to your clinician.

Health Information Exchange (HIE)

Information is shared with local health and social care partners under the Health Information Exchange (HIE).  The HIE includes patients who live in or whose GP is based in North Central London. The following services are not part of the project, so if you use the below services your information will not be made available through the HIE:

  • Gender Identity Development Service (GIDS)
  • Gender Identity Clinic (GIC)
  • Forensic Child and Adolescent Mental Health Services (FCAMHS) based at the Portman Clinic
  • Mentalization-Based Therapy (MBT) service based at the Portman Clinic
  • Portman Assessment and Psychotherapy Service
  • Family Assessment Service (FAS), Family Drug and Alcohol Court (FDAC)
  • Complex Assessment, Camden CAMHS

Read more about the Health Information Exchange on this website.

Read more about the Health Information Exchange on the North London Partners website.

Read some frequently-asked questions about the Health Information Exchange.

How to opt-out of the joined-up health and care record.

Information laws

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 make sure we protect your information.  The Tavistock & Portman NHS Foundation Trust is a Data Controller.  This means that we legitimately determine the purpose of the processing.  Under the GDPR we must have a lawful basis to process your information.   

The Information Commissioner’s Office (ICO) upholds people’s information rights. 

What personal information do you process about me?

Patients and carers

Purpose (why do we collect the information?) What data do we collect? Who might we share your data with? What is the lawful basis for the processing? How long do we keep your information for?
To provide you with services and treatments. Your full name* and contact details, date of birth, age, gender information, ethnicity, religion, next of kin, immigration status, referral and treatment information, care and health information, forensic information related to your care needs. Your GP, informal carer, NHS hospital or social care staff involved in your care, ambulance services (the above may share data under the Health Information Exchange). We may also share information with the police and probation services. Article 6(e): Public task. Article 9(2)(h): preventive or occupational medicine, the provision of health or social care or treatment Adult mental health records: 20 years after end of service or 8 years after the person has died. Adult Gender Dysphoria: 30 years after end of service. All Childrens mental health records:  Until 25/26th birthday
Research where you have agreed to take part (Interventional or clinical research) This will depend on the nature and purpose of the research.  We will tell you what data we will be processing about you. We will tell you who we will be sharing your information with.  Some of our research is carried out  jointly with other NHS Trusts or universities. Article 6(e): Public task. Article 9(2)(g): for reasons of substantial public interest, on the basis of Union or Member State law. and the interests of the data subject 20 years
Research (observational, for data analyses and service planning) This will also depend on the nature and purpose of the research.  We will use only the minimum personal data needed. NHS and academia See NHS National Data Opt Out:  https://www.nhs.uk/your-nhs-data-matters/ Article 6(e): Public task. Article 9(2)(j): for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose,) based on Union or Member State law 20 years

If you are a trans patient, we will not retain any previous names or gender data. 

Students

What data do we collect? Purpose (why we collect it) Who might we share your data with? What is the lawful basis for the processing? How long do we keep your information for?
Prospective students Your name and contact details Application process N/A Public task Current admission cycle plus 1 year
Students who apply for a place Your contact details (name, address, phone number(s), email, date of birth, gender, ethnicity, religion, relevant health or disability information, next of kin, details of your previous education and qualifications, financial information, ID/passport, visa or immigration information if you are a non-UK citizen. For regulated courses, we will check for criminal offences. Verification checks, course planning, equalities monitoring, immigration status and DBS clearance. Regulators and government agencies, student loan companies, student sponsors and employers. Public task End of student relationship plus 6 years
Enrolled/current students In addition to the above, we hold information about your course, classes and attendance, exam results, placements, accommodation. You will be given a student number which our staff will use to identify you. Course delivery and recording As above Public task End of student relationships plus 6 years (except where permanent retention is a legal or historical requirement, e.g. record of certificates and awards
Past students (alumni) Your contact details, post graduate course information and results. Your post graduate qualification with us, your next employment, education or training. Future employers (e.g. references), other educational institutions Public task As above


Staff

What data do we collect? Purpose (why we collect it) Who might we share your data with? What is the lawful basis for the processing? How long do we keep your information for?
Prospective staff As per application form. Recruitment Referees Public task 12 months
Current staff As per application form, references, contract information, training, absence details, occupational health data, bank details Performance of contracted duties, payroll, training and development Future/prospective employers, accreditation bodies, mortgage lenders (upon request), occupational health provider. Public task 6 years from last day of employment or 75th birthday (whichever is soonest). Salaries and pensions:  10 years
Past staff Not applicable As above As above As above As above


Partners and third parties

What data do we collect? Purpose (why we collect it) Who might we share your data with? What is the lawful basis for the processing? How long do we keep your information for?
Agencies and contractors Contact details Recruitment Recruitment agencies and managed providers Public task 3 years from end of contract


Your rights

We must tell you how we process your personal information.  

You can ask to see what personal information we hold about you.  This is known as making a Subject Access Request (SAR). 

Read more about how to submit a Subject Access Request (SAR)

Where you think information we hold about you is inaccurate, you can ask us to correct it. We will correct any information that we agree is wrong, or we will add your comments to your record.

We have a statutory obligation to retain information about patients, staff and students. In some circumstances you may have a right to erasure of certain information we hold about you.

In some circumstances, you can ask us to restrict the processing of your personal data.  This right, where it applies, allows you to ask us to retain your personal information but not to use it.  You can make your request verbally or in writing. 

Where there is no legal obligation for the Trust to process your information, you can object to the processing.  We will comply with your objection unless there we have an overriding duty to continue the processing.

In some circumstances, you can request a copy of the personal data you have provided to us in a machine-readable format, so you can transfer it to another organisation or use it for a similar purpose. 

Where computers make decisions about you, including automated profiling, you have a right to challenge the decision or ask for a person to check an automated decision.

Keeping your information accurate up to date

It is important for you to tell us if your name or contact details change.

Please also tell us if you notice any incorrect or out of date information on your records. 

We will take the opportunity to share information with you when you attend appointments, so you can tell us if there is anything you don’t agree with. We will always record your comments.

Your communication preferences

We will ask you what information you would like to receive from us and how you would like to receive it. You can update your communication preferences at any time.

Social Media

The Trust has official accounts on Twitter and LinkedIn. These are controlled by our communications team. The communications team monitors public content across social networks and generates reports based on this content.

We use information posted publicly on social media so that we can make information available where it may be relevant or of interest. We never attempt to access private social media accounts.

Cookies

Cookies are small files that are placed on your computer or mobile device by websites that you visit. Our cookies help us to improve user experience on our website and monitor web traffic to our pages. We will recognise your IP address, but we will not know who you are. You can find out more about cookies at www.allaboutcookies.org.uk.

How to report a data protection breach

If you become aware of data protection breach or potential breach, please tell us about it by emailing dpo@tavi-port.nhs.uk or to telephone our Data Protection Officer (Janice Abraham, Assistant Director of Information Governance and Information Security) on 020 8938 2022.

Please include as much information as you know about the circumstances of the incident and the personal data involved.

How to make a data protection complaint

If you have a complaint or concern about data protection, please email our Data Protection Officer, Janice Abraham, Assistant Director of Information Governance and Information Security,  at dpo@tavi-port.nhs.uk.  If you prefer you can write to us at:

Data Protection Officer
Tavistock & Portman NHS Foundation Trust
120 Belsize Lane
London
NW3 5BA

Alternatively, you can address your complaint to our Patient Advice and Liaison Service (PALS).

Further information

Lawful basis for processing (ICO)

Special category data (ICO)

Criminal offence data (ICO)

Guide to PECR (ICO)