Privacy Information
Privacy Information
The Trust respects your privacy and is committed to protecting your personal data.
The General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose personal data they hold and use. This information is outlined in our privacy notice.
If you would like to discuss, or have questions, on how the Trust processes information please contact the Data Protection Officer at: nlft.information.request@nhs.net
Privacy Notice
This privacy notice will tell you about how we look after your personal data, your rights, and who you can contact for information.
A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data is used and disclosed, how long it is kept and the controller’s legal basis for processing.
This privacy notice is amended and reviewed on a regular basis and is updated to include any changes in how information is handled at NLFT.
Sharing information with other organisations
There may be occasions where we have to share your information outside of NLFT. This is outlined in the below document:
CAMHS Privacy Notices
Information held by Children and Young People's Mental Health Services (CAMHS) can be found here:
NLFT CAMHS Privacy Notice
CAMHS FAQ
If you would like to access information held by CAMHS please follow this link or speak to your clinician: Your Information and Rights | North London NHS Foundation Trust
Service Specific Privacy Notices
Service specific Privacy Notices
These notices provide you with details of our privacy practices in connection with a number of systems we use and what we do to maintain your right to privacy.
You can download the privacy notices below:
- CCTV
- DotDigital Privacy Notice [pdf] 159KB
- E-Rota
- EPMA
- GP Connect
- Islington People's Rights
- Look Ahead
- MS Teams
- Patient Knows Best
- Recovery College
- Recruitment
Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is a process designed to help the Trust identify and minimise any data protection risks associated with our data processing activities. It is a key requirement under the General Data Protection Regulation (GDPR) and is essential for ensuring compliance with privacy regulations
Key points about DPIAs:
- Purpose: DPIAs aim to assess the impact of data processing on individuals' privacy rights and implement measures to protect data subjects
- Necessity: They are required when data processing is likely to result in high risks to the rights and freedoms of individuals
- Process: The assessment involves describing the data processing operations, evaluating the necessity and proportionality of the processing, identifying risks, and planning measures to mitigate those risks
By conducting a DPIA, the Trust can proactively address any potential privacy vulnerabilities and promote transparency in our data handling practices.
Please see a summary of recent DPIAs the Trust has completed below:
| Project/Process | Description | Article 6 Lawful Basis | Article 9 Lawful Basis | Service/Department |
| NCL Complex Long Term Conditions Service | The NCL Health Alliance, supported by partner CEOs and UCLPartners, is developing and testing new care models for adults with long-term conditions in NCL. Working with 5 Primary Care Networks (PCNs), the program aims to create a robust model for future commissioning by the NCL ICB. Running from December 2024 to May 2025, it uses existing patient data systems without new data sharing agreements. The model integrates various patient pathways to reduce redundant appointments and diagnostics, maintaining current patient data control. Initially, no new digital suppliers will be introduced, but future phases may include innovative digital solutions. | (e ) Public Task | h) Health or Social Care | Enfield and Haringey Divisions |
| NLFT MaST Implementation | The Trust has partnered with Holmusk to implement MaST across Community Mental Health Teams, Early Intervention, and Older Adults services. MaST, which provides mental health insights, helps predict unplanned care risks and improves clinical decision-making. The Trust remains the data controller, with Holmusk as the data processor. The project will integrate Camden & Islington NHS Foundation Trust with Barnet Enfield & Haringey NHS Trust's MaST instances, creating three instances for North London NHS Foundation Trust. Testing will occur separately before combining URLs into a single NLFT URL. | (c ) Legal Obligation (e ) Public Task |
h) Health or Social Care | Adult Community Mental Health Teams (CMHT) Older Adults (OA) Mental health services Early Intervention Services (EIS) |
| Co-Pilot | Microsoft 365 Copilot is a generative AI product that adheres to existing security, compliance, and privacy policies of Microsoft 365. It processes data without storing it and does not use user data to retrain its model. Copilot integrates with Microsoft 365 applications like Teams, Word, Outlook, and others, relying on tenant configurations for security and privacy. Communication between NHS.net Connect tenant and Copilot is encrypted, and patient information systems are out of scope. Plugins allow Copilot to access third-party apps, enhancing productivity for knowledge workers, such as generating project presentations from Teams meetings and OneNote notes. | (e ) Public Task | N/A | Corporate |
| Service Now HR | This project aims to extend the ServiceNow Platform used by Camden and Islington Foundation Trust to create a unified HR Service Delivery tool for the North London Foundation Trust. The goal is to establish a single Employee Portal for HR case submissions and self-service resources. HR teams will manage their workload, including HR cases, Employee Relations cases, and Joiner, Mover, Leaver processes, within ServiceNow as a single system of record for the Foundation Trust. | (a) Consent (b) Contractual Obligation c) Legal Obligation e) Public Task |
b) Employment, social security and social protection law f) Legal claims and judicial acts g) Substantial public interest conditions h) Health or social care i) Public health |
People and Occupational Development |
| Patient Knows Best (PKB) | PKB is an app designed to support Article 15 of GDPR, which grants individuals the right to access their personal data. The app allows service users to view and share their clinical records with chosen individuals. It centers on the person held record (PHR), enabling users to view data from various clinical teams, including mental health, acute, and primary care. Users can access information such as appointments, test results, care plans, crisis plans, medications, and imaging. They can share their records with others, communicate with carers and clinicians, and add personal information like journal entries, weight, blood pressure, and activity data from wearables. | e) Public Task | h) Health or Social Care | Corporate Nursing |
| RIO EPR | The purpose of RIO is to serve as the Trust's clinical system for processing Electronic Patient Records. It provides mental health and community services, recording all data related to patients' interactions with the Trust's clinical services. This includes operational information, clinical records, and data required for statutory, operational, KPI, and reporting purposes. Essentially, RIO ensures comprehensive documentation and access to patient records for direct care purposes. | e) Public Task | h) Health or Social Care | Nursing ICT |
