North London Partners in health and care

Privacy notice


PRIVACY NOTICE - last updated 22/02/2019

You can also download a version of the privacy notice to print on A4 paper if you wish.

1.0    Introduction

The Data Protection Act 2018 became law on the 25 May 2018. It explicitly brought the EU General Data Protection Regulation (GDPR) 2016/EU679 into UK law as the “Applied GDPR”; we refer to these and other acts as “the data protection legislation”.

A requirement of the data protection legislation is that we inform individuals about whom we hold data (data subjects) about our processing. A Privacy Notice is information given to ensure data subjects are aware of how their data is being used or shared.

2.0    What is this Privacy Notice about?

This privacy notice contains information about the sharing of Personal Data by North London Health and Care Partners using a system called the Health Information Exchange (HIE) and contains details of the following:

  • information we collect and hold about you;
  • the legal basis for collecting and holding the information;
  • what we do with it, how we keep it secure (confidential);
  • who we might share it with;
  • how long we will hold it for;
  • what your rights are in relation to your data.

3.0    Who we are

This privacy notice is issued by the North Central London Health and Care Partners.

The partners who are signatories to a Data Sharing Agreement which demonstrates a robust foundation for the lawful, secure and confidential sharing of personal information between themselves. LINK TO DSA

Each partner has appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. Each partner is controller of the data that it accesses via the HIE and responsible for processing that data in line with data protection legislation.  

4.0    The purpose(s) of the sharing

HIE is an Electronic Health Record (EHR) linking system that brings together patient/client’s data across health and care systems in a secure manner, embedding a real-time single aggregated summary of a your data which is held within a number of local records.

Benefits of such a system are;

  • improved quality of care – information about your care will be instantly available to clinicians for more accurate diagnosis and on-going treatment. 
  • improved patient safety – there will be greater visibility for your health and social providers about your current medications, allergies and adverse reactions. 
  • reduced delays in care – test results will be readily available reduces patient waiting time.

5.0    The categories of personal information we share

Personal Data, means any information about individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). The Personal Data that is shared includes:

Personal Data: Forename, Surname Address, Date of Birth, Gender, Age, Postal Address, Postcode, Telephone Number, NHS Number and Hospital ID

Special categories of Personal Data: Racial or ethnic origin, Physical/mental health or condition. For example blood test results, MRI scan results, etc

However, not every element of your information is part of the joint record. Examples of the sensitive information that will be left out, includes sexual health, HIV status, fertility treatment records, domestic violence and criminal records.  A full list is available on our website. (Link)

We do not currently plan to include children’s social care records.

6.0    What is the lawful basis for the sharing?

The processing (sharing) of Personal Data for these purposes is permitted under Article 6(1) (e) of the General Data Protection Regulation:

Public Task: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The processing (sharing) of special categories of Personal Data via the HIE system is permitted under Article 9 (2) (h) of the General Data Protection Regulations:

Direct Care and Administration: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”

7.0    What we use your Personal Data and special categories of Personal Data (known as or sensitive personal) for

The Personal Data that we share will be used by the partners to provide you with the best possible direct care delivery.

8.0    Organisations we share your personal information with

Personal Data will only be shared between the health and care organisations who are partners and named processors to the Data Sharing/Processing Agreement. A list of all the partners, with the details of their Data Protection Officers, and named processors are attached to this document. (Appendix A)

The data will be shared with health and social care professionals providing direct medical care to the data subject; with a legitimate relationship to the patient.

9.0    What is the Health Information Exchange (HIE)?

A record of care is held on each partner’s secure clinical system (local record). Cerner, a supplier of healthcare systems has designed HIE. This system integrates data from those multiple electronic health and care systems to provide a real-time and read-only summary of that data to a health or social care professional when required for the purpose of direct care.

How will the information be made available?

The information is accessed in real time and on-demand and presented as a read only view; meaning that the Personal Data from a partner’s local record is not changed. The data remains within each Partner’s database and users are allowed read-view access only.

10.0  How long do we keep your record?

As HIE is only used to share, rather than store, data contained within a local record, the retention of data is set by individual partners who follow the NHS Records Management Code of Practice for Health and Social Care 2016.

11.0  How we keep your personal information safe and secure

We ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential

Our appropriate technical and security measures include:

  • complying with Data Protection Legislation;
  • encrypting Personal Data transmitted between partners;
  • implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
  • completion of the Data Security and Protection (DSP) Toolkit introduced in the National Data Guardian review of data security, consent and opt-outs, and adhere to robust information governance management and accountability arrangements;
  • use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Authority Personal Data under the Health Information Exchange (HIE) system are auditable against an individual;
  • ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained in maintaining the privacy and security of the Personal Data and are under contractual or statutory obligations of confidentiality concerning the Personal Data.

The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All staff with access to Personal Data are trained to ensure information is kept confidential.

12.0  What are your rights?

Under the Data Protection Legislation, you have the right to:

  • request copies of your personal information;
  • request rectification of any inaccuracy in your Personal Data or special categories of Personal Data; and
  • restrict the processing of your personal information where the accuracy of the data is contested or, where the processing/sharing is no longer needed.

Additionally, you have the right to opt out to sharing Personal Confidential Data via HIE, and once you have none of your personal data will be shared via HIE.

13.0  How can I access the information you keep about me?

To access your Personal Data you should contact a partner’s Data Protection Officer (Appendix A)

14.0  How can I “opt-out” of data sharing via HIE?

We ask you to think carefully before making this decision as sharing your health and social care information will make it easier for services to provide the best treatment and care for you.

If you would like to speak to someone about your choice, you can contact us via our website.

You can opt-out of having your Personal Data shared via HIE by completing the attached form and return it to us or by using the form on our website. 

Before opting out, please ensure that you have read the Health Information Exchange Opt-Out leaflet carefully and do so understanding what it means for you.  If you choose to opt-out, you will not be able to take advantage of the benefits that the electronic joined-up record can bring you. The care professionals looking after you won’t have your full history and most recent information available to them ‘in real time’ when they assess you, and decisions about your care may take longer, even in emergency situations. 

15.0  Right to complain

You can get further advice or report a concern directly to:

  • a partner’s Data Protection Officer (Appendix A), or
  • the UK’s supervisory authority (Information Commissioner’s Office) by:

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545745 (national rate)



 Appendix A              List of Partners. Data Protection Officer


Data Protection Officer Details

Royal Free London NHS Hospitals Foundation Trust


Barnet Enfield and Haringey Mental Health NHS Trust (main sites, incl Enfield Community)


Camden and Islington NHS FT (and main sites)


University College London Hospitals NHS Foundation Trust.


North Middlesex University Hospital NHS Trust


Central and North West London NHS FT (Camden Community)


Central London Community Healthcare NHS Trust


Moorfields Eye Hospital NHS Foundation Trust


Royal National Orthopaedic Hospital NHS Trust


Whittington Health NHS Trust


Great Ormond Street Hospital


Islington GPs


Camden GPs


Enfield GPs


Barnet GPs


Haringey GPs


Barnet Federation


Haringey Federation


Enfield Federation


Islington Federation


Camden GP Federation


Tavistock and Portman NHS Foundation Trust


London Borough of Islington


London Borough of Camden


London Borough of Enfield


London Borough of Haringey


London Borough of Islington


London Borough of Barnet







Version control


Version number






Foluke Oyinlola



Revised to incorporate IG Sub-Group members’ comments

Foluke Oyinlola








Review by






07 February 2019

Approved with minor changes