Privacy policy
This notice tells you why we collect information about you and how you can expect us to use it.
The information we collect about you is called personal information.
What is personal information?
Personal information is any data that directly or indirectly identifies you. Directly means the data on its own, and indirectly means when combined with other data. For example, your age on its own wont identify you, but when combined with, say, your school, ethnicity or religion, it may be possible to identify you.
Is my information safe?
Our patient records are held electronically and securely.
Only staff who are involved in your care, or who provide support to our clinical teams, can access your records, using secure access methods. We know who has looked at your records and who has made any changes. We only process the minimum personal data needed and we only hold it for as long as necessary.
Our staff are subject to a duty of confidentiality and must complete information security and data protection training.
Our security controls protect your confidentiality and ensure that relevant and reliable information is always available to your clinician.
Health Information Exchange (HIE)
Information is shared with local health and social care partners under the Health Information Exchange (HIE). The HIE includes patients who live in or whose GP is based in North Central London. The following services are not part of the project, so if you use the below services your information will not be made available through the HIE:
- Gender Identity Development Service (GIDS)
- Gender Identity Clinic (GIC)
- Forensic Child and Adolescent Mental Health Services (FCAMHS) based at the Portman Clinic
- Mentalization-Based Therapy (MBT) service based at the Portman Clinic
- Portman Assessment and Psychotherapy Service
- Family Assessment Service (FAS), Family Drug and Alcohol Court (FDAC)
- Complex Assessment, Camden CAMHS
Read more about the Health Information Exchange on this website.
Read more about the Health Information Exchange on the North London Partners website.
Read some frequently-asked questions about the Health Information Exchange.
Information laws
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 make sure we protect your information. The Tavistock & Portman NHS Foundation Trust is a Data Controller. This means that we legitimately determine the purpose of the processing. Under the GDPR we must have a lawful basis to process your information.
The Information Commissioner’s Office (ICO) upholds people’s information rights.
What personal information do you process about me?
Patients and carers
Purpose (why do we collect the information?) | What data do we collect? | Who might we share your data with? | What is the lawful basis for the processing? | How long do we keep your information for? |
---|---|---|---|---|
To provide you with services and treatments. | Your full name* and contact details, date of birth, age, gender information, ethnicity, religion, next of kin, immigration status, referral and treatment information, care and health information, forensic information related to your care needs. | Your GP, informal carer, NHS hospital or social care staff involved in your care, ambulance services (the above may share data under the Health Information Exchange). We may also share information with the police and probation services. | Article 6(e): Public task. Article 9(2)(h): preventive or occupational medicine, the provision of health or social care or treatment | Adult mental health records: Most records are held for 8 years after end of service. Records made under the Mental Health Act are held for 20 years after end of service or 10 years after death. Adult gender dysphoria records are held for 30 years after end of service (subject to review). Children’s records are held until the patient’s 25/26th birthday (depending on age at discharge). If a patient transfers to adult services the full record is transferred and the above retention periods then apply. NB: Closed adult mental health case files originally created in paper format may be held for up to 20 years. |
Research where you have agreed to take part (Interventional or clinical research) | This will depend on the nature and purpose of the research. We will tell you what data we will be processing about you. | We will tell you who we will be sharing your information with. Some of our research is carried out jointly with other NHS Trusts or universities. | Article 6(e): Public task. Article 9(2)(g): for reasons of substantial public interest, on the basis of Union or Member State law. and the interests of the data subject | 20 years |
Research (observational, for data analyses and service planning) | This will also depend on the nature and purpose of the research. We will use only the minimum personal data needed. | NHS and academia See NHS National Data Opt Out: https://www.nhs.uk/your-nhs-data-matters/ | Article 6(e): Public task. Article 9(2)(j): for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose,) based on Union or Member State law | 20 years |
Students
What data do we collect? | Purpose (why we collect it) | Who might we share your data with? | What is the lawful basis for the processing? | How long do we keep your information for? | |
---|---|---|---|---|---|
Prospective students | Your name and contact details | Application process | N/A | Article 6(e): Public task | Current admission cycle plus 1 year |
Students who apply for a place | Your contact details (name, address, phone number(s), email, date of birth, gender, ethnicity, religion, relevant health or disability information, next of kin, details of your previous education and qualifications, financial information, ID/passport, visa or immigration information if you are a non-UK citizen. For regulated courses, we will check for criminal offences. | Verification checks, course planning, equalities monitoring, immigration status and DBS clearance. | Regulators and government agencies, student loan companies, student sponsors and employers. | Article 6(e): Public task | End of student relationship plus 6 years |
Enrolled/current students | In addition to the above, we hold information about your course, classes and attendance, exam results, placements, accommodation. You will be given a student number which our staff will use to identify you. | Course delivery and recording | As above | Article 6(e): Public task | End of student relationships plus 6 years (except where permanent retention is a legal or historical requirement, e.g. record of certificates and awards |
Past students (alumni) | Your contact details, post graduate course information and results. | Your post graduate qualification with us, your next employment, education or training. | Future employers (e.g. references), other educational institutions | Article 6(e): Public task | As above |
Staff
What data do we collect? | Purpose (why we collect it) | Who might we share your data with? | What is the lawful basis for the processing? | How long do we keep your information for? | |
---|---|---|---|---|---|
Prospective staff | As per application form. | Recruitment | Referees | Article 6(e): Public task | 12 months |
Current staff | As per application form, references, contract information, training, absence details, occupational health data, bank details | Performance of contracted duties, payroll, training and development | Future/prospective employers, accreditation bodies, mortgage lenders (upon request), occupational health provider. | Article 6(e): Public task Article 9(2)(b) Employment, social security and social protection (if authorised by law) | 6 years from last day of employment or 75th birthday (whichever is soonest). Salaries and pensions: 10 years |
Current staff | Location of Trust mobile devices: laptops and mobile phones | Cyber security | This is not shared outside the Trust | Legitimate interests | Until the mobile device is returned to the ICT team |
Past staff | Not applicable | As above | As above | Article 6(e): Public task, Article 6(c): Legal obligation or Article 6(a): Consent | As above |
Partners and third parties
What data do we collect? | Purpose (why we collect it) | Who might we share your data with? | What is the lawful basis for the processing? | How long do we keep your information for? | |
---|---|---|---|---|---|
Agencies and contractors | Contact details | Recruitment | Recruitment agencies and managed providers | Article 6(e): Public task | 3 years from end of contract |
NHS Trusts | Contact details | Workforce development projects | Project stakeholders | Article 6(f): Legitimate interests | End of project plus up to 6 years |
Keeping your information accurate and up to date
It is important for you to tell us if your name or contact details change.
Please also tell us if you notice any incorrect or out of date information on your records.
We will take the opportunity to share information with you when you attend appointments, so you can tell us if there is anything you don’t agree with. We will always record your comments.
When we may ask for your consent
If we wish to process your personal information in a way that you may not reasonably expect (i.e. that is not related to your care or treatment (service users), your education (students) or employment (staff), and where you can expect a duty of confidence to apply, we will ask for your consent to process your information for that purpose. This consent is called ‘common law’ consent. Common law is not a written law but is based on previous case law.
Adult gender patients
We will protect your privacy when you change your name.
Our Gender Identity Clinic (GIC) will ask you to change your name at your GP practice, if you have not already done so. If you have been issued with a new NHS Number in your new name and gender, we will amend our records to match your personal details against your new NHS Number.
You may be asked for ID to confirm your identity, and as evidence that you are using your new name.
If you have a Gender Recognition Certification (GRC), by law we must ask for your consent to continue to process your previous name. If you do not consent, we will shield your previous identity on your record.
If you don’t have a GRC you can still ask us to shield your previous identity on your care record.
For further information, please contact the GIC at GIC.administration@nhs.net, or you can contact our Data Protection Officer at IG@tavi-port.nhs.uk.
Your communication preferences
We will ask you what information you would like to receive from us and how you would like to receive it. You can update your communication preferences at any time.
Social media
The Trust has official accounts on Twitter and LinkedIn. These are controlled by our communications team. The communications team monitors public content across social networks and generates reports based on this content.
We use information posted publicly on social media so that we can make information available where it may be relevant or of interest. We never attempt to access private social media accounts.
Cookies
Cookies are small files that are placed on your computer or mobile device by websites that you visit. Our cookies help us to improve user experience on our website and monitor web traffic to our pages. We will recognise your IP address, but we will not know who you are. You can find out more about cookies at www.allaboutcookies.org.uk.
How to report a data protection breach
If you become aware of data protection breach or potential breach, please tell us about it by emailing dpo@tavi-port.nhs.uk or to telephone our Data Protection Officer on 020 8938 2022.
Please include as much information as you know about the circumstances of the incident and the personal data involved.
How to make a data protection complaint
If you have a complaint or concern about data protection, please email our Data Protection Officer at dpo@tavi-port.nhs.uk. If you prefer you can write to us at:
Data Protection Officer
Tavistock & Portman NHS Foundation Trust
120 Belsize Lane
London
NW3 5BA
Alternatively, you can address your complaint to our Patient Advice and Liaison Service (PALS).