Skip to content

Privacy policy

This notice tells you why we collect information about you and how you can expect us to use it.

The information we collect about you is called personal information.

What is personal information?

Personal information is any data that directly or indirectly identifies you. Directly means the data on its own, and indirectly means when combined with other data.  For example, your age on its own wont identify you, but when combined with, say, your school, ethnicity or religion, it may be possible to identify you.

Is my information safe?

Our patient records are held electronically and securely.

Only staff who are involved in your care, or who provide support to our clinical teams, can access your records, using secure access methods. We know who has looked at your records and who has made any changes. We only process the minimum personal data needed and we only hold it for as long as necessary.

Our staff are subject to a duty of confidentiality and must complete information security and data protection training.   

Our security controls protect your confidentiality and ensure that relevant and reliable information is always available to your clinician.

Health Information Exchange (HIE)

Information is shared with local health and social care partners under the Health Information Exchange (HIE). The HIE includes patients who live in or whose GP is based in North Central London. The following services are not part of the project, so if you use the below services your information will not be made available through the HIE:

  • Gender Identity Development Service (GIDS)
  • Gender Identity Clinic (GIC)
  • Forensic Child and Adolescent Mental Health Services (FCAMHS) based at the Portman Clinic
  • Mentalization-Based Therapy (MBT) service based at the Portman Clinic
  • Portman Assessment and Psychotherapy Service
  • Family Assessment Service (FAS), Family Drug and Alcohol Court (FDAC)
  • Complex Assessment, Camden CAMHS

Read more about the Health Information Exchange on this website.

Read more about the Health Information Exchange on the North London Partners website.

Read some frequently-asked questions about the Health Information Exchange.

Read about the One London programme, one of the country’s first Local Health and Care Record Exemplars (LHCRE), designated by NHS England

Information laws

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 make sure we protect your information. The Tavistock & Portman NHS Foundation Trust is a Data Controller. This means that we legitimately determine the purpose of the processing. Under the GDPR we must have a lawful basis to process your information.   

The Information Commissioner’s Office (ICO) upholds people’s information rights. 

What personal information do you process about me?

Patients and carers

Purpose (why do we collect the information?)What data do we collect?Who might we share your data with?What is the lawful basis for the processing?How long do we keep your information for?
To provide you with services and treatments.Your full name* and contact details, date of birth, age, gender information, ethnicity, religion, next of kin, immigration status, referral and treatment information, care and health information, forensic information related to your care needs.Your GP, informal carer, NHS hospital or social care staff involved in your care, ambulance services (the above may share data under the Health Information Exchange). We may also share information with the police and probation services.Article 6(e): Public task. Article 9(2)(h): preventive or occupational medicine, the provision of health or social care or treatmentAdult mental health records: Most records are held for 8 years after end of service.

Records made under the Mental Health Act are held for 20 years after end of service or 10 years after death.

Adult gender dysphoria records are held for 30 years after end of service (subject to review).

Children’s records are held until the patient’s 25/26th birthday (depending on age at discharge). If a patient transfers to adult services the full record is transferred and the above retention periods then apply.

NB: Closed adult mental health case files originally created in paper format may be held for up to 20 years.
Research where you have agreed to take part (Interventional or clinical research)This will depend on the nature and purpose of the research.  We will tell you what data we will be processing about you.We will tell you who we will be sharing your information with.  Some of our research is carried out  jointly with other NHS Trusts or universities.Article 6(e): Public task. Article 9(2)(g): for reasons of substantial public interest, on the basis of Union or Member State law. and the interests of the data subject20 years
Research (observational, for data analyses and service planning)This will also depend on the nature and purpose of the research.  We will use only the minimum personal data needed.NHS and academia See NHS National Data Opt Out: 6(e): Public task. Article 9(2)(j): for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose,) based on Union or Member State law20 years


What data do we collect?Purpose (why we collect it)Who might we share your data with?What is the lawful basis for the processing?How long do we keep your information for?
Prospective studentsYour name and contact detailsApplication processN/AArticle 6(e): Public taskCurrent admission cycle plus 1 year
Students who apply for a placeYour contact details (name, address, phone number(s), email, date of birth, gender, ethnicity, religion, relevant health or disability information, next of kin, details of your previous education and qualifications, financial information, ID/passport, visa or immigration information if you are a non-UK citizen. For regulated courses, we will check for criminal offences.Verification checks, course planning, equalities monitoring, immigration status and DBS clearance.Regulators and government agencies, student loan companies, student sponsors and employers.Article 6(e): Public taskEnd of student relationship plus 6 years
Enrolled/current studentsIn addition to the above, we hold information about your course, classes and attendance, exam results, placements, accommodation. You will be given a student number which our staff will use to identify you.Course delivery and recordingAs aboveArticle 6(e): Public taskEnd of student relationships plus 6 years (except where permanent retention is a legal or historical requirement, e.g. record of certificates and awards
Past students (alumni)Your contact details, post graduate course information and results.Your post graduate qualification with us, your next employment, education or training.Future employers (e.g. references), other educational institutionsArticle 6(e): Public taskAs above


What data do we collect?Purpose (why we collect it)Who might we share your data with?What is the lawful basis for the processing?How long do we keep your information for?
Prospective staffAs per application form.RecruitmentRefereesArticle 6(e): Public task12 months
Current staffAs per application form, references, contract information, training, absence details, occupational health data, bank detailsPerformance of contracted duties, payroll, training and developmentFuture/prospective employers, accreditation bodies, mortgage lenders (upon request), occupational health provider.Article 6(e): Public task
Article 9(2)(b) Employment, social security and social protection (if authorised by law)
6 years from last day of employment or 75th birthday (whichever is soonest). Salaries and pensions:  10 years
Current staffLocation of Trust mobile devices: laptops and mobile phonesCyber securityThis is not shared outside the TrustLegitimate interestsUntil the mobile device is returned to the ICT team
Past staffNot applicableAs aboveAs aboveArticle 6(e): Public task, Article 6(c): Legal obligation or Article 6(a): ConsentAs above

Partners and third parties

What data do we collect?Purpose (why we collect it)Who might we share your data with?What is the lawful basis for the processing?How long do we keep your information for?
Agencies and contractorsContact detailsRecruitmentRecruitment agencies and managed providersArticle 6(e): Public task3 years from end of contract
NHS TrustsContact detailsWorkforce development projectsProject stakeholdersArticle 6(f): Legitimate interestsEnd of project plus up to 6 years

Keeping your information accurate and up to date

It is important for you to tell us if your name or contact details change.

Please also tell us if you notice any incorrect or out of date information on your records. 

We will take the opportunity to share information with you when you attend appointments, so you can tell us if there is anything you don’t agree with. We will always record your comments.

When we may ask for your consent

If we wish to process your personal information in a way that you may not reasonably expect (i.e. that is not related to your care or treatment (service users), your education (students) or employment (staff), and where you can expect a duty of confidence to apply, we will ask for your consent to process your information for that purpose. This consent is called ‘common law’ consent. Common law is not a written law but is based on previous case law.

Adult gender patients

We will protect your privacy when you change your name.

Our Gender Identity Clinic (GIC) will ask you to change your name at your GP practice, if you have not already done so. If you have been issued with a new NHS Number in your new name and gender, we will amend our records to match your personal details against your new NHS Number.

You may be asked for ID to confirm your identity, and as evidence that you are using your new name.

If you have a Gender Recognition Certification (GRC), by law we must ask for your consent to continue to process your previous name. If you do not consent, we will shield your previous identity on your record.

If you don’t have a GRC you can still ask us to shield your previous identity on your care record.

For further information, please contact the GIC at, or you can contact our Data Protection Officer at

Your communication preferences

We will ask you what information you would like to receive from us and how you would like to receive it. You can update your communication preferences at any time.

Social media

The Trust has official accounts on Twitter and LinkedIn. These are controlled by our communications team. The communications team monitors public content across social networks and generates reports based on this content.

We use information posted publicly on social media so that we can make information available where it may be relevant or of interest. We never attempt to access private social media accounts.


Cookies are small files that are placed on your computer or mobile device by websites that you visit. Our cookies help us to improve user experience on our website and monitor web traffic to our pages. We will recognise your IP address, but we will not know who you are. You can find out more about cookies at

How to report a data protection breach

If you become aware of data protection breach or potential breach, please tell us about it by emailing or to telephone our Data Protection Officer on 020 8938 2022.

Please include as much information as you know about the circumstances of the incident and the personal data involved.

How to make a data protection complaint

If you have a complaint or concern about data protection, please email our Data Protection Officer at If you prefer you can write to us at:

Data Protection Officer
Tavistock & Portman NHS Foundation Trust
120 Belsize Lane

Alternatively, you can address your complaint to our Patient Advice and Liaison Service (PALS).

Further information

Lawful basis for processing (ICO)

Special category data (ICO)

Criminal offence data (ICO)

Guide to PECR (ICO)

Read or download our Data protection policy