Your Privacy and Information
We are the North London Foundation Trust (NLFT), created on 1st November 2024 following the formation of the North London Mental Health Partnership between Camden and Islington NHS Foundation Trust and Barnet, Enfield and Haringey Mental Health Trust.
The Trust collects and processes information about you when you have accessed and used our services. Full information on the types of information that we collect and process can be found in our Privacy Notice.
Under the Data Protection Act, you have the right to request and access the information that we hold about you. You can access your information by making a Subject Access Request (SAR).
Privacy Notice
NLFT respects your privacy and is committed to protecting your personal data.
This privacy notice will tell you about how we look after your personal data, your rights, and who you can contact for information.
The General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose personal data they hold and use.
A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice. A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data is used and disclosed, how long it is kept and the controller’s legal basis for processing.
NLFT Privacy Notice [pdf]
Service Specific Privacy Notices
These notices provide you with details of our privacy practices in connection with a number of systems we use and what we do to maintain your right to privacy.
You can download the privacy notices below:
- Attend Anywhere
- CCTV
- E-Rota
- EPMA
- Granicus - GovDelivery
- GP Connect
- Islington People's Rights
- Look Ahead
- MS Teams
- Patient Knows Best
- Recovery College
- Recruitment
Requesting your information
You can request information that the Trust holds on you, such as your health records, by making a Subject Access Request (SAR).
You can make your SAR by emailing nlft.records@nhs.net
We would encourage you to fill out the below form when making your SAR as this will help us in narrowing exactly what information you require, however this is not a requirement:
Please note that requests for personal information may take between 30 — 90 days to respond to once identification is recieved, depending on the volume and complexity of the request.
Information and guidance on making a SAR can be found on the Information Commissioners Office website: Getting copies of your information (SAR) | ICO
Please supply identification when making your request, it would also be helpful to include your NHS number to address your request as efficiently as possible. Examples of acceptable proof of identification are listed below.
If you are unable to provide identification, please contact the IG Team at the above email address.
| Proof of Name | Proof of Address |
| Current signed photographic passport | Utility bill (gas, electricity, water, landline telephone bill) issued within the last 3 months |
| Original birth certificate | Local Authority Council Tax bill for current tax year |
| EEA member state identity card | Current UK driving licence (if not used for proof of name) |
| Current UK or EEA photocard driving licence | Bank, Building Society or Credit Union statement or passbook dated within last 3 months |
Requesting information about someone else
You can make a SAR to obtain information about another individual provided you have a right to access this information or consent from the individual.
To request information about another person, please complete and return our form or email your request to: nlft.records@nhs.net
Please note we will require proof of identity when you make this request and may ask for proof that you are able to make this request – for example you have right of authority or consent. This consent or right of authority must be dated within the last 3 months.
Requesting information about a deceased individual
The Access to Health Records Act 1990 grants rights to certain individuals to see what has been written about a deceased patient in a hospital and other health records. This only applies to written records made on or after 1st November 1991.
Access to these records is only available to the deceased personal representative or to any person having a claim arising out of a patients’ death.
Access may not be permitted if the following circumstances apply:
- If it is considered that the patient would not have wished disclosure of their information.
- If access would lead to the identification of someone else not involved in the patients care.
- If access would cause serious mental or physical harm to someone else not involved in the patient’s care.
To request information about a deceased individual please complete and return the above form or email your request to nlft.records@nhs.net
How long will you keep my records for
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal or reporting requirements.
To determine the appropriate retention period for personal data, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements have been considered.
All records held by the Trust will be kept for the duration specified by national guidance from the Department of Health and Social Care found in the Records management: Records Management Code of Practice - NHS Transformation Directorate (england.nhs.uk) and is supplemented by our Records Management policy and Retention schedule.
National Data Opt-Out
The national data opt out allows patients to opt out of their confidential information being used for research and planning. You can read more about it on the NHS website.
Patients can find out more and set their opt-out choice on the NHS data matters section of the NHS website.
Health and care staff can download leaflets, posters and other resources to use when informing patients. Staff can also read overview of the policy - Understanding the national data opt-out.
Data Protection Impact Assessments (DPIA)
A Data Protection Impact Assessment (DPIA) is a process designed to help the Trust identify and minimise any data protection risks associated with our data processing activities. It is a key requirement under the General Data Protection Regulation (GDPR) and is essential for ensuring compliance with privacy regulations
Key points about DPIAs:
- Purpose: DPIAs aim to assess the impact of data processing on individuals' privacy rights and implement measures to protect data subjects
- Necessity: They are required when data processing is likely to result in high risks to the rights and freedoms of individuals
- Process: The assessment involves describing the data processing operations, evaluating the necessity and proportionality of the processing, identifying risks, and planning measures to mitigate those risks
By conducting a DPIA, the Trust can proactively address any potential privacy vulnerabilities and promote transparency in our data handling practices.
Please see a summary of recent DPIAs the Trust has completed below:
| Project/Process | Description | Article 6 Lawful Basis | Article 9 Lawful Basis | Service/Department |
| NCL Complex Long Term Conditions Service | The NCL Health Alliance, supported by partner CEOs and UCLPartners, is developing and testing new care models for adults with long-term conditions in NCL. Working with 5 Primary Care Networks (PCNs), the program aims to create a robust model for future commissioning by the NCL ICB. Running from December 2024 to May 2025, it uses existing patient data systems without new data sharing agreements. The model integrates various patient pathways to reduce redundant appointments and diagnostics, maintaining current patient data control. Initially, no new digital suppliers will be introduced, but future phases may include innovative digital solutions. | (e ) Public Task | h) Health or Social Care | Enfield and Haringey Divisions |
| NLFT MaST Implementation | The Trust has partnered with Holmusk to implement MaST across Community Mental Health Teams, Early Intervention, and Older Adults services. MaST, which provides mental health insights, helps predict unplanned care risks and improves clinical decision-making. The Trust remains the data controller, with Holmusk as the data processor. The project will integrate Camden & Islington NHS Foundation Trust with Barnet Enfield & Haringey NHS Trust's MaST instances, creating three instances for North London NHS Foundation Trust. Testing will occur separately before combining URLs into a single NLFT URL. | (c ) Legal Obligation (e ) Public Task |
h) Health or Social Care | Adult Community Mental Health Teams (CMHT) Older Adults (OA) Mental health services Early Intervention Services (EIS) |
| Co-Pilot | Microsoft 365 Copilot is a generative AI product that adheres to existing security, compliance, and privacy policies of Microsoft 365. It processes data without storing it and does not use user data to retrain its model. Copilot integrates with Microsoft 365 applications like Teams, Word, Outlook, and others, relying on tenant configurations for security and privacy. Communication between NHS.net Connect tenant and Copilot is encrypted, and patient information systems are out of scope. Plugins allow Copilot to access third-party apps, enhancing productivity for knowledge workers, such as generating project presentations from Teams meetings and OneNote notes. | (e ) Public Task | N/A | Corporate |
| Service Now HR | This project aims to extend the ServiceNow Platform used by Camden and Islington Foundation Trust to create a unified HR Service Delivery tool for the North London Foundation Trust. The goal is to establish a single Employee Portal for HR case submissions and self-service resources. HR teams will manage their workload, including HR cases, Employee Relations cases, and Joiner, Mover, Leaver processes, within ServiceNow as a single system of record for the Foundation Trust. | (a) Consent (b) Contractual Obligation c) Legal Obligation e) Public Task |
b) Employment, social security and social protection law f) Legal claims and judicial acts g) Substantial public interest conditions h) Health or social care i) Public health |
People and Occupational Development |
| Patient Knows Best (PKB) | PKB is an app designed to support Article 15 of GDPR, which grants individuals the right to access their personal data. The app allows service users to view and share their clinical records with chosen individuals. It centers on the person held record (PHR), enabling users to view data from various clinical teams, including mental health, acute, and primary care. Users can access information such as appointments, test results, care plans, crisis plans, medications, and imaging. They can share their records with others, communicate with carers and clinicians, and add personal information like journal entries, weight, blood pressure, and activity data from wearables. | e) Public Task | h) Health or Social Care | Corporate Nursing |
| RIO EPR | The purpose of RIO is to serve as the Trust's clinical system for processing Electronic Patient Records. It provides mental health and community services, recording all data related to patients' interactions with the Trust's clinical services. This includes operational information, clinical records, and data required for statutory, operational, KPI, and reporting purposes. Essentially, RIO ensures comprehensive documentation and access to patient records for direct care purposes. | e) Public Task | h) Health or Social Care | Nursing ICT |
Contact Us
- For Freedom of Information Requests: nlft.freedom.information@nhs.net
- For Medical Records/Subject Access Requests: nlft.records@nhs.net
- For all other queries: nlft.patient.experience@nhs.net
- To contact the Data Protection Officer: nlft.records@nhs.net
