Privacy Policy

On the 25th May 2018, the data protection system across the EU (including the UK) changed. The GDPR replaces the provisions of the Data Protection Act 1998 (DPA). The GDPR preserves the rights provided under the current law and also provides new rights and enhanced protection for individuals (known as Data Subjects).

For the purposes of the Data Protection Act 1998 and the EU General Data Protection Regulation 2016/679 (“Data Protection Law”), CNWL Talking Therapies is both a “Data Controller” and a “Data Processor.” This means that we are responsible for and control the collection and processing of, your personal information.

For further details about why and how NHS Digital processes personal data in the NHS Talking Therapies (previously Improving Access to Psychological Therapies - IAPT) collection, and your rights, visit this link:

Improving Access to Psychological Therapies (IAPT) - NHS England Digital

We keep contact information for you and others involved in your care, information about your background, assessments, results of questionnaires, our plans for your future care, details of the care we give you and correspondence related to your care. You have the right to change or complete any inaccurate or incomplete personal information held about you.

It is important that you tell us within one week if you change your details, telephone numbers or address because we will continue to use the address and telephone numbers you have given us until you tell us they have changed.

The information we record can come from a variety of sources. This can be when you interact with us directly, indirectly or through a third party: This includes when you phone us, visit our website or get in touch through the post, or in person, or are referred by your GP or another service with the purpose of accessing Talking Therapies services.

We also get information from referral letters, directly from GP clinical records and what you and others involved in your care tell us if we think it is clinically relevant.

Information entered on the CNWL Talking Therapies website to book courses will be transferred into the Trust clinical database, Insight. This information will be used to keep you informed about the courses and be associated with the questionnaires you fill in so we know if you are improving, which will help us make decisions about any future care you may need.

The information you submit using the Wysa chatbot on our Kensington and Chelsea service webpage will only be used to make a referral to the service. It is held securely on our clinical system (IAPTUS). The information will be held for 90 days then deleted from the Wysa app but held within the clinical system (IAPTUS) after that time only.

The referral information is shared with your clinician prior to your appointment. If you indicate that your safety is at risk it may also be shared with your GP.

If you would like further information about how your data is managed on the chatbot see the separate Wysa Privacy Policy: Everyday Mental Health by Wysa Privacy Policy

The information you submit using the LImbic chatbot on our Hillingdon service webpage will only be used to make a referral to the service. It is held securely on our clinical system (IAPTUS). The information will be held for 30 days then deleted from the Limbic app but held within the clinical system (IAPTUS) after that time only.

The referral information is shared with your clinician prior to your appointment. If you indicate that your safety is at risk it may also be shared with your GP.

If you would like further information about how your data is managed on the chatbot see the separate Limbic Privacy Policy: ​​​​​​​Limbic Privacy Policy

CNWL Talking Therapies is committed to keeping any information you share with us private and secure. 

We keep information about your care on the trust computer system and on a dedicated specialist computer system. We may also keep information on paper records.

Examples of this might include anyone reporting serious self-harm or posing a threat to others or children contacting us and sharing serious issues such as physical abuse or exploitation. We will also share information where we are legally obliged to do so.

We will only keep your information for as long as is reasonable and necessary for the relevant activity, which may be to fulfil statutory obligations.

We will only use this information for the purposes of providing you with a service in support of your health. We will never sell or share your personal information with organisations so that they can contact you for any marketing activities. Nor do we sell any information about your web browsing activity.

Our computer systems contain electronic records of your care, which include electronic notes and digital copies of documents related to your care.  These systems are used by staff to plan and monitor the quality of your care, to continually improve the quality of the services that we offer and plan future services.

The Trust will on occasion collate, analyse or transfer your clinical or administrative data using approved digital automation processes in order to provide efficient and clinically safe services. This may include sharing with other agencies, relevant integrated care board and partners involved in your healthcare.

We may disclose your information if required to do so by law (for example, to comply with applicable laws, regulations and codes of practice or in response to a valid request from a competent authority); or, in order to enforce our contractual and other agreements.

The law gives you a number of rights in relation to what personal information is used by CNWL and how it is used.

These rights allow you to ask us to provide you with a copy of the personal information that we hold about you, correct personal information about you which you think is inaccurate and stop using your personal information if you think it is wrong, until it is corrected. 

A full explanation of data protection and rights for data subjects can be found by following this link: Data Protection: rights for data subjects - GOV.UK

Your right to erasure, and what it means under data protection laws, gives you have the right to ask for your personal information to be erased. This is often called the "right to be forgotten."

However, this right will not always apply. There are situations where the Trust need to retain your personal information because there is a lawful reason to do so.

In particular, we are required to keep health records when they are needed to provide care or meet NHS legal duties. Because of this, we’re unable to delete or destroy your records as requested.

If you are not satisfied with this response, you have the right to raise a concern or make a complaint with the Information Commissioner’s Office (ICO), the UK’s independent regulator for data protection. To find out more you can contact the Information Commissioner’s Office (ICO).

We collect the following information from people visiting the website:

• Site usage information, using cookies and page tagging techniques