Your rights, our responsibilities

To provide the best possible standards of care we need to keep information about you. This includes your name, address, contact details, date of birth next of kin and, details of your medical history. This information is held for the purposes of maintaining your care. Most information is stored electronically some remain on paper and may take other forms such as x-ray photographs. All of your information is held securely and only ever accessed when there is a need to know.

We have a legal responsibility to keep confidential all of the health information about you. The obligations that the health and social care organisations have, together with the rights that every individual enjoys, are set out in the UK General Data Protection Regulation ( UK GDPR) and The Data Protection Act 2018. (DPA2018).

We will share information with you the patient and other parts of the NHS such as your GP and those contracted to provide services to the NHS in order to support your healthcare needs unless you ask us not to.
Those may also include for example: Hospitals and health care organisations, social services, and community services. Occasionally there are circumstances in which we have to disclose information and when we do not necessarily need to obtain patient consent. The three main justifications for this are:

  • Where there are concerns about the safety of a child or vulnerable adult
  • When it is in the wider public interest to do so, for example, in the case of a serious crime
  • When disclosure is required by law, for example when we are ordered by a court to do so.

We will anonymise or pseudonymise your information wherever possible to protect your confidentiality.


CPFT believes in the importance of research for the NHS. It uses data securely for research, and it offers opportunities to participate in research. To help improve the standards of health and social care, identifiable information from your records may be used for research and statistical analysis. The Data Protection Act (2018) defines “medical purposes” to include “preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services”. You can opt out from the use of your identifiable data for research or planning purposes via the NHS National Data Opt-Out link here:

The NHS also promises to anonymise the information collected during the course of your treatment that we use to support research and improve care for others. CPFT supports research using anonymous health data via the CPFT Research Database. This allows NHS-approved researchers to use health data without learning anyone’s identity. You can opt out from the use of your anonymous data for research within CPFT (see In addition, the CPFT Clinical Data Linkage Service provides a way to link CPFT data to other UK data sources, such as other parts of the NHS, for research with anonymous data. If you have opted out from the use of your anonymous data for CPFT research as above, your data will not be linked.

CPFT also supports participatory research, such as studies involving interviews, questionnaires, or new treatments. In these cases, you will be approached to see if you would like to take part. To find out more, see the leaflet “Taking part in research” here:

Your rights

The UKGDPR and DPA2018 gives every individual a number of rights. In brief, you have the right to:

  • To be informed why, where, and how we use your information.
  • To ask for access to your information.
  • To ask for your information to be corrected if it is inaccurate or incomplete.
  • To ask for your information to be deleted or removed where there is no need for us to continue processing it. This is not applicable for information used for health care purposes. We have a statutory duty to keep your records in order to treat you. The retention periods for your records are set out in the NHS Digital Records Management Code of Practice for Health and Social Care
  • To ask us to restrict the use of your information. This would only apply when there are questions arising from the accuracy of your data and we need time to resolve them.
  • To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information. This is not applicable for information used for health care purposes
  • To object to how your information is used.
  • To challenge any decisions made solely without human intervention (automated decision making) Our Trust does not process information in this way.

Our obligations

The UKGDPR and DPA2018 imposes a number of obligations on our services. In brief, these are:

  • Information about you will be processed fairly and lawfully and in a transparent manner
  • Information will be used solely for planning and delivering your health care and will not be used in an inappropriate way.
  • The information recorded about you will be adequate and relevant, and limited to what is necessary
  • The information will be accurate and up to date.
  • Information will be kept no longer than necessary.
  • All of the information will be processed within our organisation in accordance with your rights.
  • We will take all necessary measures to prevent unlawful processing, accidental loss, damage, or destruction.
  • Information will not be transferred to a country outside the European Economic Area, unless the country provides adequate protection of your rights as regards the processing of information

We undertake to fulfil these obligations, please tell us if any of your details change. Or if any information in our records is incorrect.

Further information

If you would like more details about how we use information about you, please refer to our Privacy Notice. All NHS Trusts have a Caldicott Guardian. This is the person who oversees the systems to keep information safe and secure.

CPFT’s Caldicott Guardian is:
Dr Cathy Walsh
Chief Medical Officer

Department of Health UK Caldicott Guardian Council

You can contact the office of the Information Commissioner who has responsibility for ensuring good practice in all aspects of Data Protection and Freedom of Information:
T 01625545745

For further advice about issues in this leaflet:
Kay Taylor
Data Protection Officer/ Information Governance Manager

As a patient

As a patient, relative or carer using our services, sometimes you may need to turn to someone for help, advice, and support. 

Patient Advice and Liaison service  Contact the Trust