Privacy notice

The North Middlesex University Hospital NHS Trust collects and uses information about you and your health and the care we provide to you.

This privacy notice provides a summary of how we use your information.

Who we are

The North Middlesex University Hospital NHS Trust

Sterling Way


N18 1QX

If you have any queries about this privacy notice, or wish to receive information about how the Trust protects your information, including Data Protection Impact Assessment, please contact our Data Protection Officer,  either in writing at the address above or by email at:

The Trust is registered with the Information Commissioner’s Office as Data Controller Registration Reference Number: Z7900606

Information security

The Trust collects information which is paper-based or held on a computer.  We take our duty to protect your personal information and confidentiality very seriously and are committed to take appropriate measures to ensure it is held securely and only accessed by those with a need to know.

The information we collect:

  • Name, Address, Date of Birth, Next of Kin, contact details.
  • Details of diagnosis, treatment and hospital visits
  • Allergies and health conditions.
  • Relevant information from people who care for you and know you well such as your GP, other health or social care professionals, relatives or carers.

We also collect information about your ethnicity, religion, disability, language preference and sexual orientation, in order to monitor that we are treating everybody fairly.

It is essential that we have accurate and up to date information about you.  Please check that your personal details are correct whenever you visit us and keep us informed of any changes e.g. address, contact details, GP practice.

Our hospital usually collects this information directly from you, from your GP or other hospital or clinic that refers you to us for treatment. 

How we use your information

North Middlesex University Hospital is one of many organisations working in the health and care system to improve care for patients and the public

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • To assess your health and decide on the most appropriate care for you
  • Make sure your care is safe and effective
  • Appropriate information is available if you need to see another doctor or are referred to a specialist or somewhere else in the NHS or social care
  • Your concerns can be investigated if you have a complaint
  • Research into the development of new treatments (see below)

The Trust also has duties to collect your information for other monitoring which it must report to NHS England or the Department of Health e.g. equalities monitoring

What is confidential patient information?

Confidential patient information is when two types of information from your health records are joined together.

The two types of information are:

  • Something that can identify you
  • Something about your health care or treatment

For example, your name joined with what medicine you take.

Identifiable information on its own is used by health and care services to contact patients and this is not confidential patient information.

Sharing your information

Everyone working in health or social care has a legal duty to keep information about you confidential; anyone who receives your information from us is also under legal obligation to keep it confidential.

We will normally share information about you with other health care and social professionals directly involved in your care so that you may receive the best quality care.  For example, every time you attend the hospital as a patient, we will send your GP a summary of any test results, diagnoses and treatment given.

We may need to share information about you so that we can all work together for your benefit, if you are receiving care from other people as well as the NHS:

  •  Social care services
  •  Other NHS organisations and staff
  •  Education services
  •  Local authorities
  •  Voluntary organisations working with the NHS.

The management of health care is complex requires that your information is shared and used for the following purposes:

  • Disclosure to specialist organisations for clinical auditing and other activities which help us to improve the care we provide
  • Disclosure to NHS Managers and the Department of Health for the purposes of planning, managing, auditing, commissioning
  • Disclosure to bodies with statutory investigative powers – e.g. the Care Quality Commission, the GMC, The Audit Commission
  • Disclosure to national generic registries – e.g. Cancer Registries
  • EEA patients: if you are a patient visiting from an EEA country and you are unable to produce a valid EHIC the Trust may require to share your personal data with your embassy who will confirm your nationality and your entitlement to public healthcare.
  • Overseas patients (non EEA countries): if you are a patient from a non EEA country, or a country where the UK does not have a reciprocal arrangement for payment of health care, the Trust may share your data with the UK Home Office for the purposes of status validation and charging.

For the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations such as the local Clinical Commissioning Group (CCG) and NHS Digital (part of NHS England).  In such circumstances, the Trusts shares information which is anonymous or the information is changed so that patient’s names and other items which could identify the individual patient is removed – unless the law requires the patient’s identity to be included.

Some of the Trust’s partners include private sector organisations who provide services on our behalf; some examples of the services provided include:

Healthcare; services for our hospital and patients such as cleaning, provision of food, provision of equipment, security services.

The Trust also uses an external company for laboratory services such as blood and urine tests.  We also use an external company for reporting on diagnostic images e.g.-rays, CT scans.

In all circumstances, the partners are chosen from reputable companies and are required to sign a contract and confidentiality agreement with the Trust that they will protect and keep any information secure.

The Trust’s partners who contribute to care provision are not always in the UK however, we will always follow the law and have contract in place with them to do the same.

There may be other circumstances when we must share your information with other agencies when we are not required to seek your consent. e.g.

  • There is a concern that you are putting yourself at risk of serious harm
  • There is a concern that you are putting another person at risk of serious harm
  • There is a concern that you are putting a child at risk of harm
  • We have been instructed to do so by a court
  • The information is essential for the investigation of a serious crime
  • You are subject to the Mental Health Act and your nearest relative must receive information even if you object
  • If the information requires to be notified for public health or other legal reasons e.g. certain infectious diseases.

Other organisations

Other organisations which manage overall NHS services e.g. NHS Counter Fraud Services, NHS Prescription Service, organisations that have a statutory duty to undertake financial or regulatory audits on NHS Trusts e.g. The National Audit Office, Care Quality Commission.

The Benefits Agency and Job Centre Plus sometimes ask us to confirm the dates you attended the hospital.  We provide this confirmation only; no clinical information is shared.

National Patient Surveys

The Care Quality Commission and the Department of Health requires the Trust to undertake patient surveys so that your views can be obtained as to how we can improve our services.

Usually, another specialist company will be appointed to undertake the survey, to keep it anonymous to the Trust.  The Trust has a legal obligation to provide the patient information required to conduct the surveys.

Other ways in which we use your information

We use your telephone number to remind you of your appointment details via SMS and Interactive Voice Messaging.  If you do not wish for the Trust to contact you in this way, please inform a member of staff or contact The Data Protection Officer at the address below or by email at

We also usually send a copy of letters sent to your GP to you at your home address.  If you do not wish to receive this letter, please inform a member of staff or contact The Data Protection Officer at the above address.

Surveillance Cameras (CCTV)

We use surveillance cameras (CCTV) around the hospital site in order to

  • Protect staff, patients, visitors and property and prevent crime
  • Apprehend and prosecute offenders and prosecute offenders and provide evidence to take criminal or civil action in the courts
  • Provide a deterrent effect and reduce unlawful activity
  • Help provide a safer environment for our staff
  • Assist in traffic management and car parking schemes
  • Monitor operational and safety related incidents
  • Assist with the verification of claims.

You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. Requests should be directed to:

Support Services Contract Manager LSMS

Estate and Facilities Dept.

North Middlesex University Hospital NHS Trust

London N18 1QX

or email:

You will need to provide further details which must contain sufficient information to identify you and assist us in finding the images on our systems.

We reserve the right to withhold information where permissible by the relevant legislation.  The Trust only retains CCTV images for a reasonable period or as long as it is required by the low.  In certain circumstances, we may need to disclose CCTV images for legal reasons.

Trust Publications

The Trust uses social media and publishes literature and reports to provide information to patients, staff and the public at large.  The Trust will always ask for your consent if we want to use your personal data in this manner. 

Legal background

As a UK Public Authority, the Trust will continue to process your information under the General Data Protection Regulations from 25th May 2018. 

Article 6 (1) allows the Trust to process your personal information as it does so “in the exercise of official authority vested in” it as per the Health and Social Care Act 2015.

Article 9(2)(i) allows the Trust to process your personal information and special category (Sensitive) personal information for the provision of health or social care or treatment or the management of health or social care systems.

The law requires that we use your information fairly, in a transparent and accountable way; where you have provided consent for a specific aspect of how we use your information, you may wish to reconsider.  In this case, please contact the Data Protection Officer who will advise you whether this applies.

How long do we keep your information?

All patient records are retained in accordance with the NHS Retention schedule which provides us guidance for the length of time each type of health record is retained.

When destroyed, all records are destroyed confidentially.

Use of your data for Research and Planning

Whenever possible, personal data that is used for research and planning is stripped of names, dates of birth and other information that directly identifies you. The remaining data are still considered ‘personal’ and confidential and have special protection under the law (DPA2018)[1]

Your choice to opt-out

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit .  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

This covers how and why patient information is used, the safeguards and how decisions are made.

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.


The Trust is required to lodge a notification with the Information Commissioner to describe the purposes for which they process personal information. These details are publicly available from:

Information Commissioner’s Office

Wycliffe House

Water Lane



Telephone: 0303 123 1113



If you have a complaint about the way the Trust uses your information, please contact the

Data Protection Officer

North Middlesex University Hospital NHS Trust

Sterling Way


N18 1QX




Patient Advice Liaison Service (PALS)

Tel 020 8887 3172


Service user privacy notice April 2020 - update Covid-19

North Middlesex University Hospital NHS Trust is committed to protecting your personal information. In the fight against this global pandemic we are currently working with all our partners in Health and Social Care to ensure information is shared with the right people at the right time to ensure you receive the best possible care.

Data Protection rules will not hinder the sharing of personal information during these unprecedented times and we will continue to process information in accordance with national law and GDPR.

The processing of personal information relating to this is necessary for reasons of planning and providing health and social care to both individual data subjects and is in the substantial public interest in the area of public health and specifically to support the control of an epidemic. For more detailed information regarding the lawful basis to undertake these activities please see the links below: 

Health Service Control of Patient Information Regulations 2002

On 20 March 2020, the Secretary of State for Health and Social Care issued a ‘Notice’ under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 (COPI) to:

  • Organisations providing health services;
  • General Practices;
  • Local Authorities; and,
  • Arm’s Length Bodies of the Department of Health and Social Care.

The purpose of this ‘Notice’ requires the aforementioned organisations to process confidential patient information for the purposes set out in Regulation 3(1) of COPI to support the Secretary of State’s response to COVID-19.

“Processing” for these purposes is defined as dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3)2 of COPI. This Notice will be reviewed on or before 30 September 2020 and may be extended further by Notice in writing. If no further notice is sent, this Notice will expire on 30 September 2020.

This ‘Notice’ has been named ‘COVID-19 Notice’. This Notice:

  • legally requires an organisation to share and process data for COVID-19 purposes;
  • sets aside the requirements of Common Law Duty of Confidentially3 for COVID-19 purposes;
  • sets aside the obligation to honour the National Data Opt-Out4 (NDOO) for COVID-19 purposes (where local or historic opt outs are in place to meet data protection ‘proportionality’ of processing and are not in relation to the ‘information standard DCB3058 and 91/2018, published under section 250 of the Health and Social Care Act 2012’,
  • DOES NOT set aside the requirements of the Data Protection Act 2018 (DPA 18), nor The General Data Protection Regulation6 (EU GDPR), in particular the provisions of data minimisation;
  • requires a record to be kept of the data shared or processed; and,
  • imposes a civil penalty on any person who does not comply with the Notice.

The Health Service (Control of Patient Information) Regulations 2002 make provision for the processing of patient information, including confidential patient information. 

Regulation 3 makes provision for the processing of patient information for the recognition, control and prevention of communicable disease and other risks to public health.

Regulation 3(4) provides powers under which the Secretary of State may require certain persons who perform health services or other public functions to process information where, for example, there is a need to assess whether there is a significant risk to public health. 

Regulation 4 provides that information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence. 

Regulation 7 restricts the processing of information under the Regulations, for example by requiring the removal of particulars by which the persons to whom information relates can be identified if it is practical (regulation 7(1)(a)). 

Regulation 8 provides for enforcement by civil penalty of requirements imposed under regulations 2(4) or (5), 3(4) or (5) or 7. 

A COVID-19 purpose includes but is not limited to:

  • understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks;
  • identifying and understanding information about patients or potential patients with or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19;
  • understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of COVID-19, and the availability and capacity of those services or that care;
  • monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services;
  • delivering services to patients, clinicians, the health services and adult social care services, workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of health care and adult social care services; and,
  • research and planning in relation to COVID-19.

Information Commissioner

The Trust will comply with all published guidance by the Information Commissioner.

Further information can be found here

If you have concerns about how your information is being used you can contact the Trust Information Governance Team at

Please note that due to working restrictions linked to COVID-19, these are the only way at this point to contact the Team.