How we use your information

How we handle your Information – Privacy Notice for Patients and service users

General Privacy Notice

This Privacy Notice informs you of how Barnet, Enfield and Haringey Mental Health NHS Trust (the Trust) collects and uses your personal information. It applies to all information we collect and store that has been received directly from you through your accessing our services or from other health and social care organisations, including GP Practices and other community providers.

Who we are and our duty?

Barnet, Enfield and Haringey Mental Health NHS Trust (BEH MHT), provide, design and implement services that meet the diverse needs of our population and workforce. We ensure that none are placed at a disadvantage over others. The Trust takes into account its legal obligations under the Data Protection Act 2018, General data protection Regulation (GDPR), Equality Act 2010, the Human Rights Act 1998 and other relevant legislation.

The Trust is committed to its duty to protect the privacy and confidentiality of service users and staff. The Trust have put measures in place to ensure safety, and security of all the personal data that we hold, use and collect about you; both in paper and electronic format.

As a Data Controller, the Trust has appointed specialist Information Governance roles who have Board level report and accountability.

  • The Senior Information Risk Owner (SIRO) and a Deputy Information Risk Owner are accountable for the management of information risks, assets and incidents.
  • The Caldicott Guardian (CG) is responsible for the management of patient information and patient confidentiality.
  • The Chief Clinical Information Officer (CCIO), who is also the Deputy Caldicott Guardian (CG), is responsible for providing clinical focus to promote good health outcome in the use of technology and information use to support the Trust’s Clinical information strategic needs.
  • The Data Protection Officer (DPO) is responsible for overseeing the Trust’s data protection strategy and its implementation to ensure compliance with GDPR requirements.

For your safety, we recommend you use one care provider (NHS or Private).      Parallel care from Barnet, Enfield and Haringey NHS Mental Health Trust and concurrent care under a private care provider can cause patient safety issues and be counterproductive. This practice the BEHMHT discourage and suggest patient and carers refrain from pursuing.

You can contact us via our website.

Why we collect personal information from you

The Trust provides a range of inpatient and specialist mental health and learning disability services to over one million people in the London boroughs of Barnet, Enfield and Haringey. We also provide a full range of children and adult community health services in Enfield which are increasingly being integrated with our mental health services to provide a range of holistic services.

The Trust also provides mental health services to prisons in London and Aylesbury. 

To provide these services, the Trust must collect personal information from you to ensure it can provide you with the appropriate care and treatment and to meet its statutory and regulatory obligations. The Health and Social Care Act 2012 and The Care Act 2014 require us to keep records of your care and treatment that you receive from us and in accordance with the following regulations.

  • The Data Protection Act 2018
  • General Data Protection Regulation
  • The Human Rights Act 1998
  • Freedom of Information Act 2000
  • Computer Misuse Act 1998
  • Audit Commission Act 1998
  • Regulation of Investigatory Powers Act 2000
  • Access to Health Records Act 1990

As a Health Care organisation, we are required to ensure:

  • You receive the best possible care and treatment from us.
  • We have accurate and up to date information available about you when you are referred to a specialist or another area for treatment.
  • We can work safely and effectively with everyone involved.
  • Our health professionals have a good basis to make health decisions about you.

All information collected, together with your details of care is saved on our various services Clinical Systems, for our Clinicians to view every time they provide treatment to you.  

At the same time, we may also use your information for non-direct care purposes where we require to:   

  • Plan and improve our service user’s needs.
  • Investigate any serious complaints, untoward incidents or legal claims.
  • Monitor clinical practices and check the quality of care we provide to you.
  • Audit our accounts and services.
  • Determine the allocation of NHS Funding.
  • Provide Anonymised statistics for NHS performance management and monitoring activities.
  • Report on public matters for the monitoring of infectious diseases and COVID.
  • Train and educate staff.
  • Conduct and support medical training and research and development in the Trust.

Most of the time, any data collected for the above secondary purposes (non direct care) is provided in an anonymised format, your personal details are removed, so that you cannot be identified from any information provided. For national reporting, any reports that we are legally obliged to send to NHS Digital for financial funding of our community services will only provide a summary of the numbers of patients referred to services. Again, no personal information will be used.  

Information we record

We record various items of personal data about you. It is essential that your details are accurate and up to date.

Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible

This will include:

  • Basic details such as your name, date of birth, address, postcode, telephone number, email address, education/schooling etc.
  • Relevant details about your next of kin, professionals, family and relatives and carers who look after you.
  • Details about your care and treatment and any advice given at referrals e.g., notes and assessments.
  • Any contacts you may have had with us for home visits or outpatient appointments.
  • Any information on medicines, side effects and allergies.
  • The results of investigations undertaken e.g., blood tests, x-rays, complaints, tribunals etc.
  • Patient experience feedback and treatment outcomes.

We also collect sensitive data (known as special category information) about you, these are:

  • Details of your nationality, ethnicity, race etc.
  • Your religious or philosophical beliefs.
  • Your sexual orientation / gender.
  • Health information (physical and mental health) e.g., health care assessments.
  • Genetic data (about the genes in your body);
  • Biometric data (recognition data such as fingerprints, iris patterns, facial geometry etc).

We may also hold information about any criminal activities and offences you may have been involved in.

Generally, this primary information is held electronically on our IT systems to contribute to your direct care. It is also used by our administration teams to ensure that we maintain high standards in our service delivery of health care services that you expect from us.

How information is collected

Information is collected when you:

  • Consult with our clinicians and supporting staff.
  • Complete our online or paper forms.
  • Email us with your information.
  • When you give us feedback on our services; or make a complaint.
  • When you apply for a job with us.

Why we collect this personal information and how we use it

As a Health service provider, we will always process your personal data fairly and lawfully. This means that we will not need your consent for the delivery of direct care to you. Rather we will process and use your data to carry out our activities by relying on lawful basis under the General Data Protection Regulations (GDPR).

For the delivery of health services and administration under the Data protection Act 2018, the lawful basis we rely on and will apply to fulfil our obligations in most cases are:

  • Article 6 (1) (e) – we process your data for the performance of a task carried out in the public interest and in exercising our official authority, where the task has a clear basis in law.
  • Article 9 (2) (h) - The processing is necessary for the provision of health or social care or treatment or the management of health or social care systems. and services Health and Social Care Act 2015. (i.e., for the processing of sensitive data)

If we do collect secondary data from you for non-health care purposes for e.g., research audits, service improvements and contract monitoring we will require your explicit consent for this. The legal conditions relied on where this situation applies are:  

  • Article 6 (1) (a) – The processing has been given explicit consent (i.e., for personal data)
  • Article 9 (2) (a) – The processing has been given explicit consent (i.e., for special category data).

Detailed descriptions of the legal basis we rely for information when we use your data can be found here BEH Legal basis for information use

How we protect your Privacy - Information Confidentiality and Data Security

As an NHS organisation we have a set of strict information security and data protection policies and procedures to ensure we protect your privacy and confidentiality.   

Our staffs have a duty of confidence and written contract statements which require them to maintain strict confidence and keep personal information disclosed by you or created by us during your encounter with us in strict confidence.

If you suspect a member of our staff has been indiscrete with your personal information (such as sharing it for non-health related organisations or harassing, you at home or work) please do not hesitate to contact the Trust with a written complaint via our patient’s complaint team.

The Trust has secure encrypted networks (at rest and transfer) and appropriate IT safeguards such as the NHS Smartcard to ensure data is protected from unauthorised access, hacking and loss. Access to systems is based on role privileges and responsibilities and system audits are regularly undertaken to ensure our controls remain fit for purpose.

Any third parties (i.e., data processors) that are deployed to support us are robustly verified in terms of their governance controls and are legally and contractually bound to operate in a secure environment with appropriate security arrangements in place. 

Employees of Barnet, Enfield and Haringey Mental Health Trust are not allowed to support their relatives or family members to view or obtain information from their record. Employees of the Trust, who deliberately view or look at records of patients they do not have legitimate clinical employment relationship with; will be subjected to displinary actions.

How we share information

As a Trust we may share your information internally as well as with a variety of other external individuals and organisations that are involved in your direct care and for other legitimate reasons including for the purpose of safeguarding individuals and crime investigation and prevention. For example, this may be with:

  • Your friends, family and carers (including anyone who has the authority to act as your next of kin, has a Power of Attorney or duty for the provision of social or healthcare, vital interests or with consent where applicable).
  • Other Healthcare and Multi-Disciplinary Teams e.g., other NHS Trusts (Acute Health/Mental Health), General Practitioners (GPs), Private Care Providers, Emergency Services, NHS 111, Ambulance Services and Integrated Care Board (ICB).
  • Social Services and Local authorities.
  • Education Services.
  • Regulators and Safeguarding Authorities/Commissioners who may be involved in investigating a regulatory obligation e. g. Multi-Agency Safeguarding Hub, the Care Quality Commission (CQC), Public Health England, the Police and Information Commissioners Office etc.
  • The Trust’s service providers such as the Trust’s language and sign language interpretation/translation and telephone call recording service.
  • Professional advisors such as lawyers in the exercise or defense or legal claims.
  • Charitable organisations that support the provision of further care (e.g., hospices) and funding treatments.
  • Bulk mailing providers in order to communicate with our patients to satisfy our legal obligations and healthcare requirements.

In limited circumstances information may be shared with the Police and other law enforcement agencies where there is a need to:

  • Protect the public safety of you or others.
  • There is a legitimate enquiry to trace a missing person or prosecute or apprehend a person for a serious crime.
  • There is a safeguarding matter involving a vulnerable child or adult.
  • There is a legitimate fraud investigation being undertaken on you; or
  • We have a received a Court Order requesting information about you.

The Trust currently works with the Metropolitan Police to support the work of the Serenity Integrated Mentoring (SIM) and High Intensity Network, which is an initiative aimed at reducing the number of people detained by the Police under S136 of the Mental Health Act (MHA) in the community. All data shared is in accordance with Data Protection Legislation.

Where information is shared, this will be done proportionately to the legal requirement of the request.

When and where we will share your Information without your consent

In certain circumstances the health care organisations are legally and morally obliged to share your information. In some of these circumstances your consent will not be requested by us for this sharing to take place and we may not be obliged or able to report that the sharing has taken place.

The following list includes, but is not limited to, such circumstances:



 Courts (civil and criminal)


If a court serves the Trust a court order, we are obliged to provide the requested information. It is the responsibility of the court to contact you to inform you of their actions.

 Department of Health


The Department of Health requires us to submit information for performance and financial monitoring purposes.

 Police and law enforcement


The Police and other law enforcement agencies can require us to submit information they require to fulfil their duty, because they have powers to request information when investigating criminal matters. We would in most cases be unable to inform you that your information has been shared with the police or law enforcement agencies.

There are instances where the police may ask us to provide them with information about patients and service users to support their work. There are times when this information about you must be provided to the police because the law requires it, for example where this relates to a road traffic accident.

We may also provide information about you to the police because a sufficiently important reason has been given by the police. An example is in relation to the prevention or detection of a serious crime such as an assault where the victim has suffered serious harm. You will usually be asked before your information is shared with the police

There are times when it is not appropriate to inform or ask you about the sharing. Examples include where doing so would undermine a police investigation or put you or another person at risk of serious harm. Each request is considered carefully on a case-by-case basis.

 Professional bodies


Professional bodies, such as the General British Medical Association Council or the Nursing and Midwifery Council have obligations to ensure their licensed members adhere to their codes of practice. Under some circumstances they can request information to assist in malpractice or misconduct investigations.


National Government department


Some National Government departments have powers to request information to assist in their investigations (e.g. The Home Office).

National Disease Registries or Research Projects


The Trust may by law be obliged to report some communicable diseases if a service user is infected (e.g. COVID-19, Influenza, and Tuberculosis). We may also be required to submit information to national research registries (e.g., Heart Disease, Cancer) under the Data Protection Act 1998.

 Social Services


We are required by law to report suspicion of, or documented cases of, abuse, neglect or circumstances of risk. Similarly, we are obliged to support the investigations of Social Services, particularly in regards vulnerable individuals (Children and Adult), which may require us to release information. In this circumstance however the 
Trust is obliged to release only the information it considers necessary and would rarely release an entire set of care records.


The Trust may have other legitimate needs to share your information, under its public task obligation, to fulfil some information sharing requirements; this will depend on the care service you are engaged with.


Information Sharing Initiatives

As a Health Care organisation, we participate in information sharing initiatives, to ensure you receive timely and safe care when you present at any care setting.

National Care Record

National Care Record is an information sharing initiative across the health service. It supports delivery of timely and safe “Direct” care to patients at any healthcare setting. The initiative is a quick and secure way for healthcare professionals to access patient information to improve the services and clinical decision you will receive wherever you are being treated or go, to receive treatment at any care setting.

London Care Record

The London Care Record enables health and care staff to have one secure view of a person’s relevant heath and care information. Even if a person’s details are held in other London care organisations, information can still be accessed safely and securely.

North Central London (NCL) NHS providers have joined up to facilitate the sharing of health information via the London Care Record platform, to improve the services you receive when you present at any care setting in North Central London. These includes Acute hospitals, Specialist hospitals, Community Providers, Mental Health Providers, General Practices (GPs) and the London Ambulance Service (LAS).

One London

Local health and care systems across London are working together as part of the One London programme – to improve how health and care services are delivered and experienced. In part, this is about making health and care information more consistent, more joined-up and more available to the clinicians, patients and families who need it.

The connectivity via these systems will enable the healthcare professional treating you at any care settings to view health data that is held about your care. This information sharing provides the benefit of a broad understanding of your current condition without the need for you to repeat them to the health professional treating you.

For more information click on the links below.

London Care Record and One London

London Care Record and HealtheIntent Systems Privacy Notice - North Central London Integrated Care System (

National Record Locator Programme (NRL)

The Trust is also enabling the sharing of Mental Health crisis plans with the Ambulance Service in a mental health crisis situation via NHS Digital’s National record locator programme to enable better care and information to be provided, when a 999 or 111 call is made in an emergency situation.

Further Information on the National Record Locator (“NRL”) is available on NHS Digital’s public-facing internet pages:

What does this mean for you?

Health and care professionals have shared information on paper for many years – we are now able to do this using digital technology.

When you visit one of our hospitals in North Central London or your GP, your healthcare worker will have all the information to hand to treat you effectively and efficiently. You will not need to provide the full story of your symptoms, what happened or the medicines you were prescribed, as this will be already accessible from your notes via the London Care Record and National Records Locator platforms.

Information will be available in real time – or in some cases within 24 hours – and will ensure your health and care teams have the most up to date information about your care. 

Under General Data Protection Regulations (GDPR), information will only be shared and accessed on a strictly need to know basis by health by care professionals across the settings, only for the purposes of providing you with direct care. Your data is securely held on these platforms, with strict access control and audits.

What are the benefits of joined-up records?

Joined up health records provides many advantages in the delivery of care by health care professionals and for people using health and care services, as follows:

  • Everyone involved in your direct care will have the whole picture, when you visit somewhere different for care or meet a new care professional, they will have access to your health and care information, and you won’t need to repeat your story.
  • The results of common tests (for example blood tests) will be available to everyone involved in your care, regardless of where the test took place, reducing the need to repeat them or obtain printed results.

For us and other health and social care professionals:

  • There is up-to-date information to plan and improve your care and make more informed decisions.
  • Less time will be spent on finding out relevant information from different health and social care organisations and IT systems, saving time and reduce duplication and recording of information across records. 
  • We can work as a team across North Central London to identify opportunities for improvement, such as analysing health needs for specific patient groups.
  • Seeing if there are needs to be more focus on providing physical health checks for people with learning disabilities.

More information on the benefits of NCL’s London Care Records and what it means for you is available on the North Central London Partner's website here.

Do I have a choice?

The NHS five years plans include steps to deliver a better, more joined-up and more responsive NHS in England. As a result, health care professionals will have access to vital information about you to make quicker and safer decisions about your care. Due to the COVID-19 (coronavirus) pandemic and in the public interest all health and care organisations are currently required to share and process data.

The national data opt-out does not apply to the disclosure of confidential patient information where there is an overriding public interest in the disclosure. Therefore, the national data opt-out will not apply to data sharing for the purposes of responding to Covid-19. This directive is currently in place until April 2023 and may be subject to further review.

Where can I find out more? For more information, please click here: Control of Patient Information Notice

National Data Opt Out Service

There are instances where we may be required to disclose confidential information about you with organisations across the health and social care system in England for purposes beyond your direct care; for example, for research purpose to improve health and social care services. The national data opt-out provide individuals the opportunity to inform organisations not to use or disclose their information for purpose beyond their direct care.

The national data opt does not apply where there is a legal obligation which requires disclosure, such as under the control of patient information (COPI) notice, or there is an overriding public interest in the disclosure, for example if the public interest to disclose the data overrides the interest in maintaining confidentiality and respecting the opt-out, for example COVID.

Should you not want your information to be shared or used beyond the provision of your direct care then you can choose to opt out. If you choose to opt out, Barnet, Enfield and Haringey Mental Health NHS Trust will apply an opt out to your record.

Patients can find out more about this and set their opt-out choice by clicking on this link or by calling 0300 303 5678.

If you are happy for your data to be extracted and used for purposes described in this Privacy Notice, then you will not need to do anything.

Please note you can change your mind on this at any time. The Trust will respect your decision unless we are legally obliged to do so. 

Cross Border Data Transfers

The Trust does not transfer any personal data outside of the UK. If however, we do need to transfer your data overseas appropriate safeguards will be put in place to protect the transfer of your data. If data needs to be transferred outside of the UK to a third country, we will inform you of this before it is done. 

Call Recording

The Trust routinely records all crises calls for quality control and training purposes and to prevent crime, staff abuse and non-compliance with Trust procedures. Service users are entitled to a copy of the recording as per their subject access rights.

Further information on the Trust’s Mental Health Crises Helpline

Further information on the management of all call recordings in the Trust

CCTV and Body Warn Cameras

The Trust employs CCTV cameras and body worn surveillance cameras across its Trust sites and departments in order to provide a safe environment for its service users, staff and visitors. Posters and CCTV signage have been placed in all areas where cameras are located to inform members of the public that they may be recorded on CCTV for the purposes of crime prevention, crime detection and the promotion of public safety. It is anticipated these cameras will assist with our car management facilities, the verification of claims and act as a deterrent to reduce unlawful activity and abuse and violence towards our staff and third parties.

You have a right to request a copy of any surveillance that may have been recorded about you subject to the exemptions of data protection legislation. Please note this legal right does not entitle you to any third-party information. 

All CCTV images are retained by the Trust for 30 days.

Please refer to our CCTV web page for further information.

Car Park Management

Our car park facilities are provided through a third-party company contract. The contractor will collect vehicle information on behalf of the Trust to support traffic flows and prevent and detect crime and ensure individuals do not park in any restricted areas. Further information about this is provided through our Estate Services contact Trust switch board for details 0208 702 3000.

SMS Texts and Emails

The Trust employs various methods to keep in touch with its service users. As a service user you may be asked if we can contact you by either post, email or by text message in order to receive appointment reminders, automated calls or service information. From our initial point of contact, we will always record your preferences and choose to contact you in this way. Please be mindful that you have a right to change these options at any time. Please ensure that we hold an accurate email address or mobile telephone number to contact you on.    

Data Protection by Design

The Trust carries out Data Protection Impact Assessments (DPIA) in accordance with the General Data Protection Regulations (GDPR), when contemplating new projects that involve the use of personal data or changes in processing operations. These are not published but are available on request from the Trust’s Data Protection Officer at the contact details below.  

Retention of Data

The Trust retains all data in accordance with the Trust’s Record Management Policy and Retention Schedule which is in accordance with the NHSX Records Management Code of Practice 2021.

All records have a minimum retention period and will be disposed securely once they reach their recommended retention period. The retention period for typical records across the Trust include:

  • Adult Mental Health records – 20 years from closure date.
  • Records of person who has been sectioned under the Mental health Act 1983, may be retained longer, where the case is ongoing, or have high potential for recurrence, based on clinical judgement.
  • Deceased records of mental health patients – 10 years after date of death.
  • Children records are kept until their 25th birthday or 26th birthday if patient was 17 years old when treatment started.

Data Subject Rights

Under the General Data Protection Regulations (GDPR), all service users and individuals have a right to access information that is held about them by the Trust.

You should be aware that in certain circumstances your right to see some details in your health records may be limited or withheld in your own interest or for other reasons; this will always be in accordance with the GDPR/Data Protection Act 2018. The “serious harms test” will be applied to most information requests before disclosures by the Trust. This means some information may be withheld based on application of the serious harm test and professional Judgement.

The Trust will endeavour to respond to your request within the 30days timeline. However, your request may be delayed beyond the regulated timeline, if it is complex and require more time to be processed, in which case an extension will be applied which may be up to 2 months, you will be notified of this by the team processing your request if this applies to you.

The Trust is only responsible for providing information, which is held by us.


You do not need to give a reason to access your health records.

As a service user you have:  

a) A Right to be Informed

To be provided with information in a concise, transparent, intelligible and clear, plain language format about how your data is handled. This is outlined in this Privacy Notice.  

b) A Right to Access

You have a right to access information held about you. This is known as a Subject Access Request (SAR). All SARs are free (unless they are complex or voluminous by scope where an administrative charge may be applied) and must be processed within one month (i.e., 30 calendar days) of the Trust receiving the request.

All requests for access to health records must be referred to the Medical Records Team at the address below. For further information on this please refer to our medical records page.

c) A Right to Erasure (also known as a Right to be Forgotten)

Service users have a right to request the erasure of their personal data where:

  • The personal data is no longer needed and has reached its retention period.
  • There are no legitimate reasons for the Trust holding the data.
  • The personal data has been unlawfully processed.
  • You have withdrawn your consent for the processing of your data.

d) A Right to Rectification

You have a right to request without any undue delay the rectification or update of any inaccurate data we may hold about you. All requests must be responded to within 30 days (i.e., one month) from the receipt date of the request.

e) A Right to Restrict Processing

You have a right to restrict any processing of data where the accuracy of the data is contested. This means that we will only store your data and not share it or further process it except in limited circumstances.

f) A Right to Object

You have a right to object to how your data is used for e.g. for direct marketing. This right applies to all processing involving scientific, historical research or statistical purposes (although processing may still be carried out for reasons of public interest.)   

g) A Right to Data Portability

You have a right to request data to be transmitted directly from one data controller to another where it is on the basis of consent and automated means. To achieve this process must be technically possible.

h) A Right to Automated Decision Making and Profiling

Automated decision making does not take place in the Trust.


Your right to complain

Raising a General Complaint or Concern

Any service users who have a general concern or complaint about any aspect of their care or treatment at the Trust should contact the Patient Experience Team at the following email address: or 0208 702 4700


Raising an Information Governance Complaint or Concern

The Data Protection Officer is the main contact point for all data protection enquiries and any investigations received from the Information Commissioner’s office.

The Data Protection Officer for the Trust is:

The Information Governance Manager
St Ann’s Hospital
St Ann’s Road
N15 3TH

Tel: 0208 702 4134 

The Medical Records Team is the main contact point for all access to health records requests. They can be contacted at: 

Information Commissioner’s Office (ICO)

You have a right to make a complaint to the Information Commissioner’s Office (ICO) at any time. However, we would appreciate the chance to deal with your concerns before you approach the ICO. Please contact us in the first instance via our patient experience team on this link or 0208 702 4700

For independent advice you have a right to submit a complaint to the Information Commissioner’s Office. The ICO is the UK’s independent body for overseeing all data protection matters. Do be mindful that the ICO will only consider any complaints once an organisation’s internal procedures have been exhausted. The ICO can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane

Helpline: 0303 123 1113 (local rate) or 01625 545 745

The Trust’s Data Protection Registration

For the purposes of this Privacy Notice, the Trust is registered as a Data Controller. Our DP registration number is: Z8836068.

Our registration can be viewed online via the public register on the ICO website.

Further Information

Further information about the way we handle your personal data can be found in our patient leaflet: Protecting Your Information leaflet (PDF document)

NHS Digital Further information about how the NHS uses your personal data

Changes to this Privacy Notice

The Trust reserves the right to make any changes to this Privacy Notice at any time and will provide you with any substantial updates as and when necessary.

Date updated – December 2022