Handling your information at C&I

Data Subject Access Requests (SAR), such as requesting your medical records, can be made in writing or verbally. You do not have to tell us the reason for your request but we may ask you to confirm your identity. Please note if you have posted your SAR form to us, you may experience a delay due to ongoing postal strikes.

How to request information

You can submit your SAR by the following methods:

By email:  information.request@candi.nhs.uk

Please include two forms of identifcation with your completed SAR form. Please include Form 1 - Complete this form to make a request for your personal information and provide two forms of identification. 

Please note that C&I will only retain your personal data for as long as necessary for the purposes we collected it for. Please see below under Data Protection and  our privacy notice which explains how we handle your information.

For data protection concerns please email information.request@candi.nhs.uk or call 0203 317 7100

If you would like to make a Freedom of Information (FOI) Request please email freedom.information@candi.nhs.uk or visit our Freedom of Information page for more information.

Please note that C&I is an adult Mental Health Trust. We provide services for adults of working age, adults with learning difficulties and older people in the London area. If your request concerns children, young people under the age of 18 or acute services we may not hold the information you are looking for.

By writing to us at:
Information Governance Team
3rd Floor, Room 3/25, West Wing
St Pancras Hospital
4 St Pancras Way

0203 317 7094 (Subject Access Requests)

Trust Privacy Notice for patients

What is a Fair Processing Notice?

C&I respects your privacy and is committed to protecting your personal data.

This privacy notice will tell you about how we look after your personal data, your privacy rights and  how the law protects you. The General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose personal data they hold and use.

A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice. A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data is used and disclosed, how long it is kept and the controller’s legal basis for processing.

Download the CI Privacy Notice [pdf] 348KB

What is our duty as a Trust?

Confidentiality affects everyone: Camden and Islington NHS Foundation Trust collects,stores and uses large amounts of personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work.

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data we are responsible for, whether digital or on paper.

At Trust Board level, we have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality. We also have a Data Protection Officer who is responsible for overseeing the Trust’s data protection strategy and its implementation to ensure compliance with GDPR requirements. They can be contacted via Information.Request@candi.nhs.uk

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) , the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance: Information.Request@candi.nhs.uk

Why do we collect information about you?

Doctors, nurses and other healthcare professionals caring for you keep records about your health and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on computer, and may include:

  • Basic details about you such as name, address, date of birth, next of kin, etc
  • Contact we have had with you such as appointments or clinic visits
  • Mental Health documentation
  • Notes and reports about your health, treatment and care
  • Relevant information from people who care for you and know you well such as health professionals and relatives
  • It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible. We need to collect information about you to provide you with health and care services. This is in accordance with the statutory obligations under the NHS Act 2006 and Health and Social Care Act 2012. The information that we collect is used for medical purposes that include:
  • The Data Protection Act 2018
  • General Data Protection Regulation
  • The Human Rights Act 1998
  • Freedom of Information Act 2000
  • Computer Misuse Act 1998
  • Audit Commission Act 1998
  • Regulation of Investigatory Powers Act 2000
  • Access to Health Records Act 1990
  • For the purposes of the Data Protection Act, the Trust is the "Data Controller" (the holder, user and processor) of staff information.

What types of personal data do we process?

The Trust has a legal duty to keep complete, accurate and up-to-date information about your health. This is so that you can receive the best possible care, both now and in the future. 

This information is known as your ‘health record’ and is stored securely on managed systems.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together below.

Types of data we process
Category Data type
Identity Data Your name, date of birth, NHS number, gender
Contact details Your address, telephone number, email address (if provided), Emergency contacts
Support contact details Names, contact details of carers, relevant close relatives, next of kin, representatives
Physical, social or mental health situation or condition

Your medical history, treatments, test results, referrals, care plans, care packages, medication, medical opinions and other relevant support you are receiving, GP contact details, bank details (for patient affairs)

Protected characteristics/ Special Categories of personal data

Your ethnicity, religion, sexual orientation, gender, which are required for equality monitoring and ensuring that the services are suitable and provided in the right way for the people being cared for

Recruitment data (for C&I staff only, fixed term, agency)

Recruitment Data includes items of personal information such as your name, date of birth, address, qualifications, references and potentially special categories of data such as occupation health data (if provided) and disclosure and barring service self-declaration form details


Information relating to health and safety


Offences (including alleged offences), criminal proceedings, outcomes and sentences


Complaints, accidents, and incident details


What is the purpose of processing data?

Under the Data Protection Act 2018, the Trust processes your data for the performance of a task carried out in the public interest and in exercising our official authority. This means that it is necessary for us to process your data for those purposes.

Additionally, other alternative conditions may be applicable where the above justification is not available for example, in the event of a life or death situation such as to prevent harm being caused by a patient or service user.

Other than where there is a legal requirement to share your information we will not publish any information that identifies you or routinely disclose any information about you without your express consent. At any time you have the right to refuse or withdraw your consent to information sharing.

We have set out a description of all the ways we use your personal data [pdf] 119KB and the legal bases we rely on to do so. 

Obligatory Situations where we share your Information

In certain circumstances the Trust is legally and morally obliged to share your information. In many of these circumstances your consent is not required for this sharing to take place and we may not be obliged or able to report that the sharing has taken place. 

The following list includes, but is not limited to, such circumstances:



 Courts (civil and  criminal)

If a court serves the Foundation Trust a court order we are obliged to provide the requested information. It is the responsibility of the court to contact you to inform you of their actions.

 Department of Health

The Department of Health requires us to submit information for performance and financial monitoring purposes.

 Police and law  enforcement

Police and other law enforcement agencies can require us to submit information they require to fulfil their investigation. Most only have powers to request information when investigating criminal matters. We would in most cases be unable to inform you that your information has been shared until after the investigation had been completed.

 Professional bodies

Professional bodies, such as the British Medical Association or the Nursing and Midwifery Council have obligations to ensure their licensed members adhere to their codes of practice. Under some circumstances they can request information to assist in malpractice or misconduct investigations.

 National Government  department

Some National Government departments have powers to request information to assist in their investigations (e.g. The Home Office).

National Disease Registries or Research Projects

The Trust may by law be obliged to report some communicable diseases if a service user is infected (e.g. Influenza, Tuberculosis). We may also be required to submit information to national research registries (e.g. Heart Disease, Cancer) under the Data Protection Act 1998.

 Social Services

We are required by law to report suspicion of, or documented cases of, abuse, neglect or circumstances of risk. Similarly we are obliged to support the investigations of Social Services, particularly in regards to children and the elderly, which may require us to release information. In this circumstance however the 
Foundation Trust is obliged to release only the information it considers necessary and would rarely release an entire set of care records.

Other external sharing

Depending on the care services that you are engaged with the  Trust may have other legitimate needs to share your information. These local needs are not captured here and if you are concerned or curious we would encourage you to speak to your care team about their information sharing requirements.

How we use your information for research

Care teams within C&I are working with researchers to find ways to develop better treatments for care. The information in your health records can also be used to help NHS researchers understand more about the causes of illnesses and how best to treat them. They need to follow strict rules to make sure your personal data is used with a lawful basis such as consent.

Researchers will make efforts to take out any information that could identify you where possible, such as your name, address and postcode. If they cannot practically take out such information, it is their legal responsibility to ask for your explicit consent.

We work with healthcare partners, researchers and technical experts to develop computer systems, such as C&I Research Database. This includes encryption techniques, such as pseudonymisation (using special codes), to enhance your privacy and protect your confidentiality before using your information for research.  For more information on such local research systems and initiatives, please visit the C&I Research Database site.

In more exceptional cases, researchers may seek special support from the Secretary of State under the health service (control of patient information) regulations (also known as ‘section 251 support’). This can allow researchers to use your personal data without your permission, only when it is not practical to seek permission. They must also have reassured an independent committee who have reviewed the purpose and data security arrangements. You can find more information on trials where researchers have used this special support known as ‘section 251’ support

National opt-outs

The national data opt out allows patients to opt out of their confidential information being used for research and planning. You can read more about it on the NHS website.

Patients can find out more and set their opt-out choice on the your NHS data matters section of the NHS website.

Download and read the your data matters patient information leaflet [pdf] 232KB

Health and care staff can download leaflets, posters and other resources to use when informing patients. Staff can also read overview of the policy - Understanding the national data opt-out.

How we protect your information

Confidentiality and data security

All our staff have written into their contracts statements requiring them to keep personal information provided by users of the service in the strictest confidence. If you suspect a member of our staff has been indiscrete with your personal information (such as sharing it with non-health related organisations, selling it companies, or harassing you at home or work) please do not hesitate to provide the Foundation Trust a written complaint or contact Chief Executive's Office. The Chief Executive can be contacted at:

Chief Executive's Office
Camden and Islington NHS Foundation Trust
Fourth floor, East Wing
St. Pancras Hospital
4 St. Pancras Way

Fax: 020 3317 3230
Email: chief.executive@candi.nhs.uk

Freepost address

Jinjer Kandola MBE
Chief Executive
Camden and Islington NHS Foundation Trust
St. Pancras Hospital
4 St. Pancras Way
(Lon 12613)

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have legal basis on need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

All our staff have written into their contracts statements requiring them to keep personal information provided by users of the service in the strictest confidence. If you suspect a member of our staff has been indiscreet with your personal information (such as sharing it with non-health related organisations, selling it companies, or harassing you at home or work) please do not hesitate to provide the Trust with a written complaint .

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

All staff are required to undertake annual information governance (Data Security and Protection) training and are provided with an information governance awareness at induction to understand their responsibilities and agree to adhere to them. The staff are aware of their information governance responsibilities and follow best practice guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.

Secure premises

We endeavour to keep your personal information safe and secure at all times. Trust premises have controlled public access during work hours and are securely locked otherwise. Most Trust premises are covered by CCTV as well as being protected by security services and alarms.

Restricted access records storage

Major Trust sites have restricted access records storage. At each site there will be a limited number of people who have access to the storage room and who control the release of records. This makes the records stored here unavailable except when requested under official protocols.

Data retention - How long will you use my personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal or reporting requirements.

To determine the appropriate retention period for personal data, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements have been considered.

All records held by the Trust will be kept for the duration specified by national guidance from the Department of Health and Social Care found in the Records management: Records Management Code of Practice - NHS Transformation Directorate (england.nhs.uk) and is supplemented by our Records Management policy and Retention schedule.

We would love to hear from you!

Fill on our form to provide valuable feedback! We’d love to hear from you so that we can constantly improve our site. Feedback form