Privacy Notice

The UK General Data Protection Regulation (UK GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information.

Whittington Health as a Data Controller

Whittington Health NHS Trust is a data controller under the UK GDPR and the Data Protection Act 2018. Our registration number with the Information Commissioner’s Office (ICO) is Z6966145

Controllers make decisions about processing activities. They exercise overall control of the personal information being processed and are ultimately in charge of, and responsible for the processing. Processing means any operation, or any set of operations performed upon personal information including, but not limited to, the collection, recording, organisation, storage, updating or modification, retrieval, use, sharing, consolidation, blocking, erasure, or destruction of data. The Trust is only the controller for information it holds. You should visit other NHS organisations websites who have treated you for details on the information they hold.

Why we collect information about you

The Information collected about you is necessary for the purpose of:

·         producing records about your health and any care and treatment you are offered or receive

·         providing a basis for health decisions made by you and care professionals

·         providing medical diagnosis and providing treatment

·         ensuring your care is safe and effective by working with other organisations providing you with care

·         managing health and social care systems and services

·         research 

·         complying with legal obligations

What personal information is collected?

·         Name, address, date of birth, phone number, and email address (where you have provided it to enable us to communicate with you)

·         Your next of kin and contact details

·         Notes and reports about your physical or mental health and any treatment, care or support you need and receive

·         Results of your tests and diagnosis, including medical imaging

·         Relevant information from other professionals, relatives or those who care for you or know you well

·         Any contacts you have with us such as home visits or outpatient appointments

·         Information on medicines, side effects and allergies

·         Patient experience feedback and treatment outcome information you provide.

 Lawful basis for processing your personal data

The Trust will process your data lawfully in accordance with the regulations:

·         Article 6(1)(e) and Article 9(2)(h) of UK General Data Protection Regulation (UK GDPR) /Data Protection Act 2018 (DPA18)

In cases where your personal data is needed for reasons other than direct care & treatment, and where there is no other valid legal basis, your explicit consent will be sought prior to processing.

Others in the NHS may also need to use records about you  

Data may be shared with our health or social care partners should they be involved or required to be involved in providing care or treatment to you. Other reasons may also include:

·         checking the quality of care (clinical audit) 

·         collecting data regarding public health matters 

·         commissioning purposes and ensuring NHS funding is being allocated appropriately 

·         helping to investigate any concerns or complaints you may have about your health care 

·         teaching healthcare workers and help with research and planning 

Further details on data collection can be found here on the NHS Digital website and more information on CCGs can be found here on the NHS England website

 Right to rectification

We will amend any errors in the information we hold about you if it is agreed to be inaccurate or incomplete. Please be aware that sometimes we may hold information that you do not agree with, but it is not adjudged to be incorrect, e.g. a clinical opinion recorded by a health professional. In such instances, we may (by mutual agreement) add a statement from you to your record regarding your concern, but not change the information.

National Data Opt Out
You have the right to object to your data being used for the research, planning and running of the NHS via the National Data Opt-out programme as well as your ‘right to object’ under Article 21 of the GDPR/DPA 18.

Consent and Objections to processing data
The below process outlines what happens when the Trust receives a request to object to the processing of personal data. This is for cases where patient information is used for purposes other than individual care and not already covered by the National Data Opt Out detailed above, this will be for activities such as patient mailing lists.

When the Trust receives an objection, it will be reviewed by the Trust’s Information Governance department, the requestor will be asked for proof of identity, we may seek to further establish/ confirm the data subjects’ objection, where necessary confirming the services, the objection applies to.

If the objection relates to processing based on legitimate interests, the request will be assessed as to whether the objection should be upheld.

Health Information Exchange (HIE)

The Trust works with GP practices, other hospitals and social services across North London to make your information available to them. A record of care is held on each partner’s secure clinical system (a local record). HIE integrates data from each partner’s electronic health and care systems to provide a real-time and read-only summary of that data to a care professional when required for the purpose of your direct care. 

The care professional can see relevant parts of your clinical record; this excludes certain sensitive data items.

How can I “opt-out” of data sharing via HIE? 

Please think carefully before making this decision as sharing your health and social care information will make it easier for services to provide the best treatment and care for you.

If you chose to opt-out, we may still need to share data for your care, but it will be using less immediate methods. For example, your GP may refer you to a hospital consultant by email. During your hospital appointment, the consultant will be able to see some of the information your GP holds about you by referring to HIE. If you opt-out the consultant may only see the information the GP put in the email or may need to phone your GP in advance of your appointment. 

For further information on HIE, including how to opt out and how to opt back in, you can go to the North London Partners website:   

Systems, Storage and Retention

Your data will be stored on secure Trust systems and servers based in the UK.

Records will be retained as per the guidance set out in the Records Code of Practice for Health and Social Care 2021.

Attend Anywhere

Whittington Health are utilising the web-based video consultation platform called ‘Attend Anywhere’, for video consultations. Attend Anywhere requires you to enter your name, phone number and date of birth upon log on via a secure web link on your smart phone, tablet or computer. There is no requirement to create an account to use the platform. Your name, phone number and date of birth data are deleted from the platform within an hour of finishing the consultation and leaving the waiting area. 


The trust has partnered with Induction Zesty to provide access to letters and appointments through the NHS app.
Please note that if you access the Zesty service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.  

Weblink to use for the above 'click here' text:

Data Protection Impact Assessments

You can view the Trust’s Data Protection Impact Assessments (DPIA) by making a Freedom of Information request. These will be redacted of any sensitive information that may have a security risk. To make a Freedom of Information request, please email us at

How to access your personal information

You can make a request to obtain a copy of personal data that we hold about you by completing the request form on the Subject Access Requests page here on our public website.

How to contact us

You can contact the Data Protection Officer at or by calling 020 7288 3077.

If you are dissatisfied with the service you have been provided and have exhausted the Trust’s complaints process, you can refer any complaints to the Information Commissioner’s Office (ICO) via the ICO website or by calling 0303 123 1113.

Last updated26 May 2023
Working on it!