Data protection 

Cornwall Partnership NHS Foundation Trust is committed to protecting your privacy when you use our services. This privacy notice explains how we use information about you and how we protect your privacy.

Where can I get advice?

We have a data protection officer who makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information,

Please contact:

Information governance department, Cornwall Partnership NHS Foundation Trust, Suite 6, Carew House, Beacon Technology Park, Dunmere Road, Bodmin, Cornwall PL31 2QN

Call 01208 834495

Email the information governance team


General Data Protection Regulations

Data protection

Cornwall Partnership NHS Foundation Trust is required to comply with the laws and regulations that apply to protecting your data and how it is used. They are the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018.

Looking after your personal information 

Cornwall Partnership NHS Foundation Trust is committed to protecting your privacy when you use our services. This privacy notice explains how we collect and use personal information about you and how we protect your privacy. It will tell you:

  • what personal information is
  • what information we collect about you
  • where we get your information from
  • why we collect your information
  • how we keep your information safe
  • how long we keep your information
  • why we are allowed to process your information
  • your right to object to information processing
  • your rights as a data subject
  • when we may pass your information on to other people or organisations
  • when we may transfer your information to other countries
  • where to get further advice

What is personal information?

Anything that identifies a living individual, either on its own or when put together with other information. Examples of personal information are name, address, telephone number, national insurance number or hospital number.

Sensitive details about an individual, which they would not usually want to be widely known without their consent. Examples of sensitive information are a person’s physical or mental health record, genetic or biometric data, their racial or ethnic origin, sexuality, and political or religious beliefs.   

What information do we collect?

Depending on your circumstances and the nature of the health care you require, we may collect the following information about you:

  • general details (such as name, address, date of birth, telephone number)
  • details about your GP
  • medical history
  • any medications you are taking
  • details about your physical or mental health
  • family details (for example, your next of kin)
  • ethnicity
  • religious belief
  • lifestyle and social circumstances
  • sexual life
  • scans, x-rays, and other diagnostic images
  • genetic or biometric data

The information we collect about you may be written down in a paper file (manual record), or held on a computer system (electronic record). We may also record CCTV images in public areas as part of the Trust’s security arrangements and for crime prevention.

You have the right to receive a copy of your medical records via a subject access request.

Where do we get your information from?

A lot of the personal information provided to us comes directly from our patients. In certain circumstances, we may also receive personal data from:

  • parents, relatives or carers
  • GPs
  • other NHS Trusts, hospitals, clinics or hospices
  • ambulance trusts
  • local authorities
  • private healthcare providers

Why do we want to collect your information?

To provide your care

The doctors and other health professionals caring for you need to keep records about your health and the treatments you have received from the NHS and other healthcare providers, in order to be able to provide you with the most effective care. It is in your interests as a patient for a full and complete record to be collected, so that we have accurate, up-to-date information about you.

To carry out medical research

We may also process your data to carry out scientific or historical research. The Health Research Authority sets standards for NHS organisations to make sure they protect your privacy and comply with the law when they do research work. When Barts Health uses your data for research purposes we will ensure that appropriate safeguards are in place, such as using the minimum amount of data needed or making sure you cannot be identified by the data.

Sometimes a member of your care team may review your health records to see if you might be a good candidate for any research we have planned. However, except in very specific circumstances, we are required to inform you first and get your explicit consent before we are allowed to use any of your information for research. We will not use data from private or non-NHS patients for research purposes.

If you do not want your personal information to be used for planning and research, you may express your preference under the national data opt-out programme. You can use this service to request that your confidential patient information is not used for anything other than your own individual care.

To help run our hospitals and improve our services

We may also need to use some information about you to:

  • manage the healthcare services we provide
  • help investigate any complaints, claims or incidents
  • match data under the national fraud Initiative
  • help us to plan new services
  • help us keep track of spending on our services
  • prepare performance statistics for the Department of Health and other regulatory bodies
  • assist in clinical audits of the quality of our services

After you attend our hospitals you may receive a text message asking you to rate how happy you were with your visit. This is a national service called the Friends and Family Test, and it gives NHS users an opportunity to give feedback on their experience. When you receive a Friends and Family Test message by text, you will have the option to opt out of any future messages from this service if you wish to do so.

How do we protect your information?

Everyone working for the NHS has a legal duty to maintain the highest levels of confidentiality, and all Cornwall Partnership NHS Foundation Trust staff receive training in how to handle your information securely. Except in certain specific circumstances, your records will generally only be seen by those involved in providing or administering your care.

Your paper healthcare records are stored in physically secure areas and electronic records held on computer systems are protected by appropriate technology, such as data encryption and access controls.

If you decide to send or receive personal information by email, please be aware that Cornwall Partnership NHS Foundation Trust cannot be responsible for the security of the information during its transfer to or from our email system, or for any loss or compromise of the information due to technical or security issues occurring outside our computer networks.

How long will we keep your information?

There is often a legal reason for keeping your personal information for a set period of time. Our policy for keeping information is based on appendix 3 of the NHS Records management Code of Practice for Health and Social Care 2016. Please see this document to find out how long we will keep different kinds of information about our patients.

Why are we allowed to process your information?

Under GDPR most of the Trust’s processing of personal information is carried out under the lawful basis of public task, because the processing is necessary for the performance of a task carried out in the public interest (GDPR Article 6(1)(e)). This allows us to process your information because it is necessary for public health purposes and for the purposes of preventative or occupational medicine.

We will also process more sensitive information (such as your medical history) because it is necessary for the purposes of preventative or occupational medicine, medical diagnosis, and the provision of healthcare (GDPR Article 9(2)(h)) or for scientific research and statistical purposes (GDPR Article 9(2)(j)).

Can you object to our processing of your personal information?

In addition to your other rights as a data subject (see below), you have the right to object to the processing of your personal information, although you must give specific reasons for your objection based upon your particular concerns. This is not an absolute right and depending on the circumstances we may decide that there are compelling and legitimate grounds for us to continue to process your information. If we do decide to continue processing your information we will let you know and explain the reasons for our decision to you. You would also have the right to challenge our decision, for example, with the Information Commissioner’s Office.

If you wish to object to the processing of your personal information by Cornwall Partnership NHS Foundation Trust h then please get in touch with our data protection officer.

What are your rights as a data subject?

Under GDPR you have a number of rights as a data subject.

The right to be informed

We are required to inform you about how we collect and use your personal information (for example, by the information given in this privacy notice).

The right to access

By law you are entitled to request a copy of the information we hold about you. This is known as a subject access request. We will aim to provide the requested information to you within 30 days, but if we are unable to do so then we will explain the reasons to you. In most cases we will provide a copy of the information to you for free, but there are some circumstances where we will need to charge.

At times we may not be able to share your whole record with you, particularly if the record contains confidential information about other people, information which could cause harm to your or someone else’s physical or mental wellbeing, or which might affect a police investigation.

The right to rectification

You may request that we make changes to any data we hold about you that is incorrect or incomplete. We will take action to rectify inaccuracies in the personal information we hold about you when it is drawn to our attention. Sometimes it may be necessary to add an explanatory note to your information (an addendum) rather than change the original record. We would do this to ensure that we have all necessary information available to provide your care (your complete medical history, for example).

The right to erasure

In most cases you are not able to request that we erase the medical information that we hold about you for your direct care and public health purposes, under our lawful basis for processing your data as set out in the GDPR.

The right to restrict processing

You may request that we restrict the processing of your information in certain circumstances, for example if you believe it to be inaccurate. In most cases a restriction of processing is a temporary measure while we investigate your concerns. The right to restrict processing is not an absolute right, and we may decide not to restrict the processing of your information if we consider that processing to be necessary for the purpose of the public interest or for the purpose of your legitimate interests.

The right to data portability

The Trust’s basis for processing your data under the GDPR means that we are not legally required to provide your information in a machine-readable form, although we will try to provide information that you have asked us for (such as under a Subject Access Request) in the format you prefer if it is practical for us to do so.

Rights related to automated decision-making (including profiling)

Cornwall Partnership NHS Foundation Trust does not make automated decisions about patients or carry out evaluations based on any automated processes (profiling).

Do we pass your information on to other people or organisations?

When we are required to do so, we will ensure that we seek your consent before sharing your personal information with other people. We will not pass your personal information to your friends, relatives or carers without your explicit consent. If you are unable to consent for any reason, we will only share information where it is clearly in your best interests to do so or it is required by law.

The Trust sometimes needs to share the personal information we process with other organisations. When we do this we are required to comply with all aspects of GDPR. Where necessary we also have data sharing agreements in place with our partner organisations which will state the specific ways in which the shared data can be used.

The organisations we share information with can include:

  • other public and private healthcare, social and welfare organisations
  • central and local government organisations
  • police forces and security organisations
  • public and private service providers, suppliers of medical equipment and support systems
  • public and private auditors and audit bodies
  • legal representatives
  • survey and research organisations
  • professional advisers and consultants

The reasons why we would share your information can include:

  • notification of births and deaths
  • an emergency (when there is risk of loss of life or limb)
  • to control infectious diseases (such as meningitis or tuberculosis)
  • child protection
  • when required by a formal court order
  • for the prevention or detection of a crime

Do we transfer your information to other countries?

The Trust may sometimes use service providers who process information in other countries, both within and outside the European Economic Area (EEA). Because of this it may sometimes be necessary for personal data to be transferred overseas. However, before any transfer is made Barts Health will make sure that appropriate safeguards are in place so that the transfer of the data, its processing, storage and retention are securely controlled and in full compliance with the requirements of the GDPR.

Data protection impact assessments

Under GDPR regulations we are required to carry out a data protection impact assessment (DPIA) when undertaking new projects which involve the processing of personal data. Completing a DPIA helps us to identify any data risks at an early stage and to take steps to minimise these risks as part of the project development process.

DPIAs were completed for the following projects during 2018 to 2019:

  • implementation of virtual consultations
  • private patients email
  • recruitment web forms
  • health data management and analytical reporting system
  • nurse shift roster survey
  • equipment training database
  • stroke data capture system

Please contact our data protection officer should you require any further information regarding these DPIAs.

Where can I get further advice?

Information governance department, Cornwall Partnership NHS Foundation Trust, Suite 6, Carew House, Beacon Technology Park, Dunmere Road, Bodmin, Cornwall PL31 2QN

Call 01208 834495

Email the information governance department

National data opt-out

Our organisation is compliant with the national data opt-out policy.

Whenever you use a health or care service or using any of our services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments 
  • preventing illness and diseases
  • monitoring safety
  • planning services

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information is not needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

Find out more or register your choice to opt-out.

You can find out more about how patient information is used for health and care research.

You can also find out more about how and why patient information is used, the safeguards and how decisions are made.

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.


When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.

These pieces of information are used to improve services for you through, for example:

  • enabling a service to recognise your device so you don’t have to give the same information several times during one task
  • recognising that you may already have given a username and password so you don’t need to do it for every web page requested
  • measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast.

You can manage these small files yourself through your browser setting.

Please note that the cookie providers listed below may distribute the gathered cookie information with other third party websites for the purpose of activity tracking. You can find out more about the policy of each cookie provider on their respective privacy pages.

Current cookies

We use a session cookie at all times. The purpose of this cookie is to maintain the state of the site in the effect of a user's selected behaviours for the site as they navigate through it. Examples of these behaviours might be:

  • logging in to the site and staying logged in as they click around
  • choosing a colour contrast stylesheet
  • filling in a multi-page form

This cookie also ensures that if the site is hosted in a load-balanced environment, the visitor’s browsing session stays on the same server throughout their use of the site.

Session cookie profile

Cookie Type Expiry Linked information Functions
JSESSIONID Session Browser close Username When a user logs in, maintains authentication state and access rights.

This cookie does not store any personal information about the site visitor, their computer, their visit, or their browsing history. No personal information is collected by VerseOne through the use of this cookie. After the end of the visitor’s session (the browser tab or window is closed, or after an inactivity timeout which is configurable in VerseOne CMS), the cookie’s validity is destroyed and the browser removes the cookie from the visitor’s compute

Please be aware that the providers listed below may change their cookie names without notice.

As an example, we use the following cookies on our website:

Cookie: Google Analytics
Example name: _utma, _utmb, _utmc, _utmz, GAPS, LSID, LSOSID, OTZ
Purpose:   These cookies are used to collect information about how visitors use our site, which we use to help improve it. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. These cookies may also be identified as originating from 

More information about Google cookies

Cookie: (Google embedded search)
Example name: __utmx, __utmxx, APISID, HSID, NID, PREF, SAPISID, SID, SSID
Purpose: These cookies are used to collect information about how visitors use our site, which we use to help improve it. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited and what they have searched for. 

More information about Google cookies

Embedded content

We want to provide interesting and engaging content on our website. On a number of pages we use ‘plug ins’ or embedded media. For example, we embed YouTube videos in many pages. We also provide links to share content with popular social media sites such as  Facebook, Instagram, YouTube and Twitter.

The suppliers of these services may also set cookies on your device when you visit the pages where we have used this type of content. These are known as ‘third-party’ cookies. Third party cookies are delivered on behalf of their respective organisations and as such they may change their name and purpose from the cookies identified below, this is beyond the control of NHS England.

Cookie: YouTube
Example name: PREF, VISITOR_INFO1_LIVE, use_hitbox
Purpose: To track visitor views, and to remember user preferences when viewing YouTube videos embedded in our website web pages.   

More information about YouTube cookies

Cookie: Twitter
Example name: guest_id, remember_checked, remember_checked_on, secure_sessions, twll
Purpose: To track visitor information and for security authentication. 

More information about Twitter cookies

Cookie: Facebook
Example name: guest_id, remember_checked, remember_checked_on, secure_sessions, twll
Purpose: To track visitor information and for security authentication.

Cookie: Instagram
Example name: guest_id, remember_checked, remember_checked_on, secure_sessions, twll
Purpose: To track visitor information and for security authentication.

How to control and delete cookies

We will not use cookies to collect personally identifiable information about you.

However, if you wish to restrict or block the cookies which are set by our websites, or indeed any other website, you can do this through your browser settings. The help function within your browser should tell you how.

Please be aware that restricting cookies may impact on the functionality of our website.

If you wish to view your cookie code, just click on a cookie to open it. You’ll see a short string of text and numbers. The numbers are your identification card, which can only be seen by the server that gave you the cookie.

For information on how to do this on the browser of your mobile phone you will need to refer to your handset manual.

To opt-out of third-parties collecting any data regarding your interaction on our website, please refer to their websites for further information.

Google Analytics

The Cornwall Partnership NHS Foundation Trust website uses Google Analytics, a web analytics service provided by Google. Google Analytics uses cookies, which are text files placed on your computer, to help the website analyse how users use the site.

By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Links to other websites

The Cornwall Partnership NHS Foundation Trust website contains links to other websites of interest. However, once you have used these links to leave this website, you should note that we do not have any control over that other website. We cannot be responsible for the protection and privacy of any information which you provide while visiting such websites, and such websites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question. We recommend that you review the websites privacy policy as a precautionary measure. The Trust does not endorse any external sites and is not responsible for their content.