How the Trust manages your information


(JULY 2018)

Cumbria Partnership NHS Foundation Trust (CPFT) is responsible for providing over 60 expert health services across Cumbria, supporting people in our communities to live happier, healthier and hopeful lives.  Our services are currently organised into four care groups:

  • Community – providing care in patients’ homes or in community settings such as health centres and community hospitals
  • Specialist – our specialist services are led by exerts in areas, including dentistry, sexual health, and diabetes.  This growing group of services deliver smaller, specialist services into the communities of Cumbria.
  • Mental Health – supporting people with mental health problems to recover and live as independently as possible
  • Children and Families – we promote a healthy start to life and provide healthcare services that are responsive to the changing needs of young people and their families

For more information see our directory of services

This notice explains how we use and share your information.  Information may be collected on paper, online, telephone, email, CCTV or by a member of our staff, or one of our partners.  


Cumbria Partnership NHS Foundation Trust is a registered Data Controller.  Information Commissioner Office (ICO) registration no Z8703662.   

Cumbria Partnership NHS Foundation Trust (CPFT) and North Cumbria University Hospitals (NCUH) are working together to integrate support services (for example Estates and Facilities, Information Management and Technology, and Human Resources).   By integrating support services we aim to build on the collaborative working already happening across many of our support services.  Sharing resources, talents and capabilities will lead to improved quality, greater opportunities, reduced duplication and lead to greater efficiencies.  Together our services can sustainably meet the demands and expectations of our customers.  The integrated support services will be provided by CPFT and NCUH in West, North and East Cumbria.

In order to facilitate this integration, both Trusts will need to share information appropriately and proportionality, which will include patient, staff and corporate information.  Information flows are recorded in our Information Sharing Gateway and are risk assessed to ensure that the sharing is lawful and proportionate for the purpose identified.

We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the Law.  There may also be significant changes within the Cumbrian health economy as Integrated Care Communities (ICCs) and the Sustainability and Transformation Plan (STP) is further developed and implemented.

Mental Health Transfer

On 1 October 2019, Mental Health Services will transfer to Northumberland, Tyne and Wear (North Services) and Lancashire Care Foundation Trust (South Cumbria Services).    Similar to the integration of services explained above to facilitate this move as a contract change we will need to share personal identifiable information appropriately pre and post the transfer date in line with a Data Transfer Agreement.  The reason for sharing health information is for continuation of care purposes.

Integrated Care Communities (ICCs)

An integrated care community works together to improve the overall health and wellbeing of the community. West, North & East Cumbria has been divided into eight ICCs based on groups of GP practices and their patients. By understanding the challenges that each area faces it is hoped that the community can work together with health and care organisations to improve the health and wellbeing of local people.  The Information Governance team, through the CCG’s commissioning, provides services across all eight ICCs.

Sustainable Transformation Partnerships (STPs)

The West, North and East Cumbria STP covers Carlisle, Allerdale, Copeland and Eden – a population of around 330,000.   Partnerships between the providers and the commissioners of health and social care with the community aim to integrate services to deliver a better experience for patients, staff and communities. The Information Governance team provides services across the STP.     STPs are outlined in the five year forward view for the NHS. Our West, North and East Cumbria STP aims to:

  1. Prevent illness and empower people to support their own health and wellbeing
  2. Strengthen and invest in local primary care, social care and community care
  3. Deliver sustainable hospital services and develop improved physical and mental health services closer to home and in hospital when needed.

How the NHS and Care Services Use Your Information (National Data Opt Out Programme (NDOP)

Cumbria Partnership NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public.    Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.  The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.    Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.  To find out more or to register your choice to opt out, please visit  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply


You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made). You can change your mind about your choice at any time.


Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.       Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Cumbria Partnership NHS Foundation Trust is currently compliant with the national data opt-out policy.

Cabinet Office: National Fraud Initiative (NFI)

Cumbria Partnership NHS Foundation Trust is required to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing, or administering public funds, or where undertaking a public function in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.  Data matching involves comparing sets of data such as the payroll records of a body against other records held by the same or another body to see how far they match.  The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified.  Where a match is found it may indicate that there is an inconsistency which requires further investigation.  No assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.

We are a mandatory participant in the Cabinet Office’s National Fraud Initiative; a data matching exercise to assist in the prevention and detection of fraud.  We are required to provide particular sets of data to the Minister for the Cabinet Office for matching each exercise, as detailed here on the website. For further information on how the Trust uses your information, please refer to the Trust’s Fair Processing Notice and the Privacy Notice for Staff

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014.  It does not require the consent of the individuals concerned under data protection legislation or the GDPR (General Data Protection Regulation).  Data matching by the Cabinet Office is subject to a code of data matching practice, also available on the website.  The Cabinet Office has published its Data Privacy notice, which sets out how the Cabinet Office will use your personal data and your rights. The notice is made under Article 14 of the General Data Protection Regulation (GDPR).   The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. 

We want you to know that we take privacy very seriously.  Please be assured that we will always manage your data securely and responsibly.  For further information on data matching at this organisation, please contact the Counter Fraud team on 0191 441 5936 or email

When further changes occur, we will revise the last updated date as documented in the Version Control Section of this document

Data Controller contact details

Cumbria Partnership NHS Foundation Trust
Portland Place
CA11 7QQ
Tel No 01228 608398 / 01228 608399

Data Protection Officer contact details

Head of Information Governance / Data Protection Officer
Maglona House
Unit 68 Kingstown Broadway, Carlisle, CA3 0HA
Tel no 01228 60 3961
Email :

Purpose of the processing

The following is a broad description of the way this organisations / data controller processes personal information.   To understand how your own personal information is processed you may need to refer to any personal communication you have received from the Trust or to contact the Data Protection Officer.

Direct Care and Administration Purposes

Direct Care is the care delivered to a patient, some of which can be provided in the patient’s home or on a Trust premises (i.e. hospital / clinic).    Direct care usually results from a referral from a GP or self-referral into one of our services.   As such there is a need to share with relevant and proportionate information with other healthcare workers such as specialists, doctors, nurses, therapists, technicians etc.   The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatment, therapies and or care.    

As part of our administration purposes, we process information about:

  • Our patients
  • Suppliers
  • Employees
  • Complainants, enquirers
  • Survey respondents
  • Professional experts and consultants
  • Individuals captured by CCTV images

Commissioning, Planning  and Research Purposes

Most national and local flows of personal data in support of commissioning / planning are established as collections by NHS Digital either centrally or for local flows by Commissioners.   Where the collection or provision of data is a legal requirement, the Trust will need to oblige.   Data minimisation (or pseudonymisation) is a standard process for commissioning, planning and research purposes, audits, service management, commissioning, contract monitoring and reporting facilities.


Advice and guidance is provided to care providers to ensure that adults and children’s safeguarding matters are managed appropriately.  Access to identified information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned. 

Serious Incident Management

Cumbria Partnership NHS Foundation Trust work with provider and commissioning organisations to ensure effective governance and to learn from Serious Incidents. The Francis Report (February 2013) emphasised providers had a responsibility for ensuring the quality of health services provided.

Analysis – Risk Stratification

Risk stratification entails applying computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.    To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.  

Foundation Trust Membership

As a Foundation Trust, Cumbria Partnership NHS Foundation Trust has a statutory requirement to process membership data in its official authority as a public body. Membership data has to be processed in order to maintain a membership, run annual elections and ensure the membership is representative of the communities we serve.

The purpose of our membership application form is to gather the personal data required in order to sign up and become members of the organisation, Cumbria Partnership NHS Foundation Trust. These details may then be used to communicate with you about general membership matters. Special category data is also collected for certain constituency groups to ensure we have a membership that is representative of the community we serve. We also collect demographic data based on your postcode to enable the organisation to report the makeup of its membership to NHS Improvement, the Regulator ( as and when required.

Members of Parliament

The Trust will handle queries from the MP in relation to the Information Commissioner Guidance.  The MP has a responsibility in carrying out constituency work that they have ensured with constituents (data subjects) that personal identifiable information he receives is fairly, lawful and handled in a transparent manner (i.e. obtained your consent).    As an additional safeguard, the Trust will advise you directly as a data subject that the MP has contacted the Trust on your behalf to give you an opportunity to dissent from your personal identifiable information being shared.

Lawful basis for processing

We will process personal identifiable information (article 6)  and also special category of personal data (article 9) (including racial and ethnic origin, offences and alleged offences, criminal proceedings, outcomes and sentences, trade union membership (staff), physical or mental health details, religious or similar beliefs, sexual life.    The Lawful basis we use:

The processing of personal data in the delivery of direct care and for providers’ administrative purposes (i.e. management of serious untoward incidents and safeguarding) in this organisation and in support of direct care elsewhere  is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” 

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality* (see below reference)

Lawful basis processing for commissioning and planning purposes (including risk stratification) is

Article 6(1) (c) – for compliance with a legal obligation

For disclosure to NHS Digital is:

Article 6(1)(e) – for the performance of a task carried out in the public interest or in the exercise of official authority.

As for direct care purposes the most appropriate Article 9 condition for commissioning purposes is:

Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

Lawful basis for research is

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

The Article 9 condition for research is:

Article 9(2)(j) …. Scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on union or member state law which shall be proportionate,… and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subjects

Lawful Basis for FT membership is supported under the following Article 6 and 9 conditions of the GDPR :

Article 6(1)(c) – …necessary for compliance with a legal obligation.

Article 6(1)(e) –  …necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9(2)(d) – …carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.

9(2)(g) – …necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards.

The Trust operates secure disclosure / sharing of information practices all of which are recorded as a record of our processing activities (using the Information Sharing Gateway).    Further information is available on request.

Lawful basis for Members of Parliament – whereby article 9(3) is satisfied by the elected representatives order, the Trust will process in line with the below principles:

Article 6(1)(e) –  …necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9(2)(h) – …processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services …..

It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA).  Any transfers made will be in full compliance with all aspects of the data protection legislation.   Further information is available on request.

Recipient or categories of recipients of the processed data

The data will be shared with health and care professionals and support staff in the Trust and at hospitals, diagnostic and treatment centres who contribute to your personal care for direct care purposes.    This will include your GP.

The Trust engages partners in the North and East to conduct audits on clinical processes. This enables the Trust to continue to develop their quality of care for patients.

Where necessary or required we may consider sharing information with any other categories of recipients:

  • Our patients
  • Family, associates and representatives of the person whose personal data we are processing
  • Staff
  • Current, past or potential employers
  • Healthcare social and welfare organisations
  • Suppliers, service providers, legal representatives,
  • Auditors and audit bodies
  • Educators and examining bodies
  • Research organisations
  • People making an enquiry or complaint
  • Financial organisations
  • Professional advisors and consultants
  • Business associates
  • Police forces
  • Security organisations
  • Central and local government
  • Voluntary and charitable organisations.

Rights to object (Article 21)

You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance

Right to access (subject access) and correct (rectification) (Article 15 and Article 16)

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.  

If you wish to make a subject access request (accessing your information).  Requests should be addressed to the Trust and we will aim to respond to your request within one month from receipt of your request.     See how to get in touch from here.   Please note that Subject Access Requests are for those who wish to obtain information held about them personally and not general information around the Trust.  The address is:

Information Rights Team

Maglona House – Unit 68 – Kingstown Broadway, Carlisle, CA3 0HA

Email –

Freedom of Information Requests (FOI)

The Freedom of Information Act (2000) gives every Individual the right to request information held by the Trust. Your request for information must be made in writing and you are entitled to a response within 20 working days.  For email requests, please send to the Freedom of Information Team here

Freedom of Information Act Requests

c/o Information Rights Team

Maglona House – Unit 68 – Kingstown Broadway, Carlisle, CA3 0HA

You can also email your request to

Automated Decision Making, including Profiling

As an organisation we currently do not undertake any automated decision making, including profiling activities

Retention period

The data will be retained in line with the law and national guidance. or speak to the Data Protection Officer

Right to Complain

If you have a complaint about the Trust we will use your information to communicate with you and investigate any compliant.  Please note that the complaint will not form part of your health care record.  Please contact here:

Patient Experience Team

The Coppice, Carleton Clinic Estate, Carlisle, CA1 3SX


Should you have any concerns about how your information is to be used having read this Fair Processing / Privacy Notice or you wish to request the notice in another format please contact the Data Protection Officer.

If you are not happy with our response and have exhausted all the avenues you have the right to complain to the Information Commissioner’s Office, you can use this link 

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Wycliffe House

Water Lane




Or email:

General data protection regulation statement

Cumbria Partnership NHS Foundation Trust is a ‘Data Controller’ under the General Data Protection Regulations. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also notify the Information Commissioner about all of our data processing activity. Our registration number is Z8703662 and our registered entry can be found on the Information Commissioner’s website.

All of our staff receive annual information governance training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so.

As a Trust we have entered into contracts with other organisations to provide services for us.  These range from software companies to provide our Electronic Patient Records to contractors who provide specialist clinical services that help provide a better service to you as a patient.      These contractors may hold and process data including patient information on our behalf.  These contractors are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.

We will not share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by Law.  Data collected will not be sent to countries where the Laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with legal requirements.

Version Control

Last Updated - This is Version 1.0 of the Cumbria Partnership NHS Foundation Trust Fair Processing Notice and was published on 09.10.2018

Common Law Duty of Confidentiality

Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.   The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.   In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.


Last Updated - This is Version 1.0 of the Cumbria Partnership NHS Foundation Trust Fair Processing Notice and was published on 10.07.19. 





Draft 0.1.

22 December 2016

Initial draft

Draft 0.2

3 March 2017

Comments from Communication Expert – CPFT

Draft 0.3

30 March 2017

Additions made by IGCO

Draft 0.4

28 June 2017

Reviewed by Head of Information Governance to make changes to lawful conditions 

Draft 0.5

10 August 2017

Additional wording about CCTV surveillance to be included in ICO section

Draft 0.6

07 September 2017

Integrated support services with CPFT and North Cumbria University Hospitals NHS Trust (NCUH)

Draft 0.7

20 April 2018

Head of IG reviewed in light of Subject Access Process and reviewed to be in plain language

Draft 0.8

25 April 2018

Added in comments re ICCs and STPs

Draft 0.9

19 September 2018

Added in comments re National Fraud Initiative (NFI) (main body) and audits on clinical processes (Section 5)


09 October 2018

Added FT membership to Sections 3 & 4.


22 March 2019

YS added:

  • MP enquiries and covering Data Protection Aspects
  • Transition of services to NTW and Lancashire Care


9 July 2019

Input on the National Data Opt Out to ensure compliance