Data protection

An Integrated Care System (ICS) is a partnership of organisations that work together to provide joined-up health and care services in your local area. In north west London, this includes:

• NHS organisations (like hospitals, GPs, community and mental health trusts)
• Local councils (adult and children’s social care services
• Charities and voluntary/community sector organisations

Because these organisations work closely together, they often need to share your information. This helps us:

• Understand your needs better
• Provide safe and effective care
• Plan services for the future

But sharing information comes with responsibility. That’s why data protection is so important - it ensures that your personal details are kept safe, private, and only used in ways that are fair, lawful, and transparent.

The North West London Integrated Care Board is the statutory NHS body responsible for planning and funding health services across north west London. The ICB is one part of the ICS but has its own distinct legal duties and responsibilities.
It’s important to understand the difference:

• The ICS is the overall partnership bringing together NHS, councils, and community organisations.
• The ICB is one statutory NHS organisation within that partnership, responsible for commissioning and oversight of NHS services.

From a data protection perspective:

• The ICB is an independent data controller. This means it decides why and how it uses personal data for the functions it is directly responsible for (such as commissioning services, managing contracts, and fulfilling statutory duties).
• Other NHS organisations in north west London, like hospitals, GPs, and community trusts, are also independent data controllers. Each decides how it uses the data it holds for the services it provides.
• Sometimes people assume that because the ICB commissions services, it is responsible for all patient data across north west London. This is not correct. Each organisation is responsible for its own data as a data controller. The ICB is only responsible for the information it directly controls and processes.

Data protection is all about making sure your personal information is:

• Kept safe
• Used fairly
• Not shared with the wrong people
• Kept only for as long as it’s needed
• In the UK, we follow the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These laws give you rights over your data and set strict rules for how organisations like the ICB, hospitals, and councils can use it.

In North West London, health and care services work together to support your health and wellbeing. To do this, we sometimes need to share information between organisations.
For example:

• Your GP might share your medical history with the hospital if you’re referred for treatment.
• The hospital might update your GP after you’ve been discharged.
• Social care may need to work with your GP to support you at home.

We only share what’s necessary, relevant, and lawful, and we make sure that:

• Everyone handling your data is trained and follows strict rules.
• Organisations have agreements in place that explain how data is shared safely.
• Information is only used to support your care, plan services, or meet legal duties.

To support this, north west London has:

• A Data Sharing Framework (to make sure sharing is lawful and consistent).
• An Information Governance Committee (where data protection issues are discussed and monitored).
• Access to sector and London-wide data sharing platforms (to enable safe and secure sharing across wider services).

We follow sevem key principles when using your data. These are the rules that guide everything we do:

What it means in everyday language

     1. Lawfulness, fairness, transparency

     We only use your data when the law allows it, and we’re open about how and why.

     2. Purpose limitation

     We only use your data for specific reasons, like care, planning, or legal duties, not for anything unrelated.​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

     3. Data minimisation
     We only collect the information we really need.

     4. Accuracy
     We do our best to make sure your information is correct and up to date.

     5. Storage limitation
     We don’t keep your data longer than necessary.

     6. Integrity and confidentiality

     We keep your data safe from loss, damage, or misuse.

     7. Accountability
    We take responsibility for how we handle your data and can demonstrate compliance.

Here’s how data protection works in practice:

• Joining up your care: If you go to A&E, the staff may access your GP record to understand your health history and treat you more safely and quickly.
• Keeping you safe: If there’s a serious risk to you or someone else (for example, in a safeguarding situation), we may need to share information, but only with the right people.
• Planning services: We may use anonymous information (which can’t identify you) to plan services, such as how many people in north west London need diabetes support.

You have rights over your personal data. These include:

• Right to be informed – You have the right to know how your data is used (that’s what this page is for).
• Right of access – You can ask to see the data we hold about you.
• Right to rectification – If your data is wrong, you can ask us to fix it.
• Right to erasure – In some cases, you can ask us to delete your data.
• Right to restrict processing – You can ask us to stop using your data for certain things.
• Right to object – You can object to your data being used in some cases (e.g. research or planning).

To learn more or to use your rights, visit our privacy notice for full details.

We have trained professionals who make sure data protection rules are followed:

• Data Protection Officers (DPOs): Experts in data privacy and your rights.
• Caldicott Guardians: Senior staff who protect patient confidentiality.
• Information Governance Teams: Specialists who monitor compliance and ensure we follow the rules.

We know your health and care information is sensitive. That’s why we promise to:

• Only use your data when it’s really needed
• Keep your data secure and confidential
• Be clear about how and why your data is used
• Respect your rights and choices wherever possible