How we use information about you

Leeds and York Partnership NHS Foundation Trust will record information about you to provide you with healthcare services. Your information will also be used to plan our services and to make sure those services are as good as they can be.

When we use your information to provide your care, we will use your name and other identifiers to make sure those providing your care know who you are, but when we use your information for other reasons, we will usually take your name and other pieces of identifying information out – to make your information anonymous.

We will share relevant information with other healthcare professionals who are involved in your care and we will make key information from your records available via the Leeds Care Record unless you object. Your information will not be used for any other purpose without your consent, unless that purpose is required by law. Our Trust will keep your records according to the conditions of the Data Protection Act (2018) and the UK General Data Protection Regulation (UK-GDPR) at all times.

Our Data Protection Privacy Notice is available below and we have also put together a more ‘easy read’ leaflet on how we use your information, how we keep it confidential and contact details in case you’d like to know more. As the leaflet says: It’s your information, but it’s our responsibility.

Find out more about the Leeds Care Record

Get a copy of “It’s your information, but it’s our responsibility”.

A copy of “It’s your information, but it’s our responsibility”, symbolised for those with Learning Disabilities (Easy Read).

A copy of our Privacy Notice, symbolised for those with Learning Disabilities (Easy Read).

Our information governance policies and procedures

Our Trust maintains a number of information governance procedural documents as part of our overall approach to information governance and our information governance framework.

These procedural documents are based on the requirements of the NHS Digital Data Security and Protection Toolkit, National Data Guardian Standards, the Care Record Guarantee, the NHS and Department of Health and Social Care Policy and best practice and UK Data Protection Law.

As well as regulating the activities of our staff, these documents are also intended as instructional guidance on the handling of personal data within our Trust.

Our information sharing protocols and agreements

When our Trust enters into arrangements with partner organisations where we will need to pass information between both parties, we will often enter into information sharing agreements. Information sharing agreements mean both parties have an agreed approach to the sharing of information and how the information can be used once it is shared.

Our Trust is also a signatory to over-arching information sharing protocols. Information sharing protocols bind all signatories to a high-level information framework and it is under this framework that information sharing agreements can be created for specific purposes.

What is the NHS Digital Data Security and Protection Toolkit?

The NHS Digital Information Governance (IG) Toolkit was replaced for 2018-2019 with the Data Security & Protection (DSP) Toolkit.

The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. This system is subject to ongoing development.

Consent to use your personal information for Trust communications

The Communications Team manages the use of personal information consent for use in communications, public relations and / or marketing work on behalf of the Trust. This includes permission of staff, service users, carers and the public to use photographs, audio recordings and video footage in which they appear, and some personal information about them and their experiences, for a variety of projects and initiatives that support the Trust’s strategic aims and objectives.

The use of people’s personal data is not limited to one publication or communications channel. You can find a list of the primary communications channels we manage on our Media page.

Some of the projects we undertake involve sharing information with trusted partners and accredited news media organisations to achieve their objectives.  Where this is the case we will discuss what this means with all concerned to ensure people are comfortable before we take any action.

For more information and to download consent forms visit our Media page.

LYPFT General UK-GDPR Privacy Notice

As a provider of healthcare services, the Trust’s main processing of personal information relates to the provision of healthcare to our Service Users. Our Privacy Notice, explaining how we process information relating to our Service Users, is set out below.

Separate Privacy Notices for HR / Workforce and other corporate functions will be provided to those whose data is processed as part of the “business-as-usual” processes of our various departments. Feel free to contact the Trust Data Protection Officer for more information.

Leeds and York Partnership NHS Foundation Trust (“the Trust”) are the accountable Data Controller for the information we hold. Our contact addresses are as follows;

Head Office
St Mary’s House, Main House
St Mary’s Road
Carl Starbuck – Data Protection Officer
1st Floor, North Wing, St Mary’s House
St Martins View
Leeds LS7 3LA

Processing information relating to our Service Users, for healthcare purposes.

The legal basis for this is UK-GDPR Article 9, subsection 2(h)

“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”.

To provide high-quality, effective care that is safe, responsive, timely, and efficient, we will both receive and share relevant and necessary information with other health and social care professionals involved in our Service Users’ care, on the same legal basis.

Privacy notice: National Fraud Initiative (NFI)

The Trust is required by law to protect the public funds it administers. We may share information provided to us with other bodies responsible for auditing or administering public funds or where undertaking a public function in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing sets of data held by one body against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.

We are a mandatory participant in the Cabinet Office’s NFI, a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching each exercise, as detailed on the Government website.

The processing of data by the Cabinet Office in a data matching exercise is carried out with a statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or UK-GDPR.

Data matching by the Cabinet Office is subject to a code of data matching practice.

The Cabinet Office has published its privacy notice which sets out how the Cabinet Office will use your personal data and your rights. The notice is made under Article 14 of the UK General Data Protection Regulation (UK-GDPR).

The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

For further information on data matching at this organisation, please email Carl Money. Full information and details regarding the initiative can be found on the Government website.

The Trust does not process healthcare data outside the European Economic Area.

The Trust will retain and subsequently securely dispose of personal information aligned with the requirements & retention schedules of the NHS Records Management Code of Practice 2021.

The UK General Data Protection Regulation (UK-GDPR) gives those who personal information we hold certain rights. These rights are set out and explained below.

  • The right to be informed

The information in this Privacy Notice should inform our Service Users how their information is processed by the Trust.

  • The right of access

Service Users have a right to make a request to receive a copy of the information we hold about them, however the Trust has a legal obligation to have an appropriate healthcare professional review the information before it is released, to ensure that information likely to cause harm or distress to the Service User or anyone else is removed.

  • The right to rectification

If factual inaccuracies are found and agreed, these will be corrected.

  • The right to erasure

This right does not apply in all circumstances, and does not apply to information held for healthcare purposes. Service User records are retained according to the requirements of the NHS Records Management Code of Practice 2021.

  • The right to restrict processing

This right does not apply in all circumstances. The Trust will record and act upon any restrictions a service user wishes to place on the sharing of their information – e.g. with family members etc., but will share relevant and necessary information with other health and social care professionals involved in our service user’s care, or when otherwise required to do so by law.

  • The right to data portability

This right does not apply in all circumstances. As we do not process healthcare information by automated means or on the basis of consent, it does not apply to healthcare information. We will however respond to Subject Access Requests and provide the information requested in a format of the Service User’s choice when it is reasonable to do so.  

  • The right to object

This right does not apply in all circumstances. As we process Service User information on the legal basis provided above, this right does not apply.

We will however be honouring choices expressed through the National Data Opt-Out Programme, to prevent use of patient data for planning and research purposes.

  • Rights in relation to automated decision making and profiling.

No automated decision making or profiling is carried out using service user information.

  • The right to lodge a complaint with a supervisory authority.

If anyone feels the Trust has failed to uphold any of the above rights, or has other concerns relating to the handling of their information, they may lodge a complaint with the Information Commissioner’s Office. The ICO’s contact details are included below:

Information Commissioner’s Office

Wycliffe House
Water Lane

Tel: 0303 123 1113 (local rate) or 01625 545 745 (geographic rate number)

The ICO’s website for raising concerns relating to the handling of personal information is:

Service users are not under a statutory or contractual obligation to provide their information, but we do however require service users to provide us with all necessary and relevant information so that we can in turn provide them with safe and effective care.

LYPFT Recovery College UK-GDPR Privacy Notice

The Recovery College is hosted by Leeds and York Partnership NHS Foundation Trust (“the Trust”). Leeds and York Partnership NHS Foundation Trust are the accountable Data Controller for data processed by the Recovery College.

Contact addresses are as follows:

Recovery College
Asket Croft
2 Asket Place
Leeds, LS14 1PP

Head Office
St Mary’s House, Main House
St Mary’s Road

Carl Starbuck – Data Protection Officer
1st Floor, North Wing, St Mary’s House
St Martins View
Leeds, LS7 3LA

The Recovery College team will collect, store and process information relating to the management of your enrolment with the Recovery College and the courses you undertake with us. Your consent, as indicated on the enrolment form, will form the legal basis for this data processing, with the processing of your data essential to the management of your enrolment and the services we provide.

Data processed will include your personal information to identify you and the organisations currently (or previously) providing your care, and your contact details. We will also record information relating to accessibility issues, and Equality & Diversity Monitoring data. As the purpose of the College is to promote recovery, we will also ask you for information relating to your current and future health, to monitor the progress you make and the effectiveness of our courses.

The Recovery College will seek your consent using an Opt-In form to record your preferences relating to the marketing of courses which we feel may be of interest to you.

Some of our courses will be facilitated  by partner organisations, we will share your information with these partners when required to manage your attendance on our courses. We will not otherwise share your information unless required to do so by law.

We will not process your personal data outside the European Economic Area.

We will retain and subsequently securely dispose of your information in accordance with the requirements of the Records Management Code of Practice for Health & Social Care.

You have a right to request a copy of any and all the records the Recovery College team holds that are about you, which we will provide to you within 30 days of receiving your written request.

We will correct any factual errors within your records and erase your records when no longer required, or if you withdraw your consent for processing because you have left the Recovery College.

You have a statutory right to raise a complaint with the Information Commissioner’s Office if you feel we have failed to honour your rights under Data Protection legislation.

Your Data & COVID-19 – Supplementary Privacy Notice
This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It supplements our main Privacy Notice.

The Health and Social Care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms-Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on and FAQs on this law are also available.

During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-Outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.

It may take us longer to respond to Subject Access requests and Freedom of Information Act requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information, including health and care records, with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal / confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal / confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the COVID-19 response is available on the NHSX website.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.


Our partnership with Akrivia Health to use information in your records

The Trust is entering a new partnership with Akrivia Health, helping to harness the information held within patients’ electronic records. Akrivia Health are leaders in processing of mental health data and have the largest set of real-world data in neuroscience. This partnership will help to streamline processes within service evaluation, auditing and research and development.

How is the data used?

Identifiable data (e.g. name, date of birth, ethnicity, diagnosis) is extracted by Akrivia from CareDirector and anonymised, to protect patient privacy, and structured into a useable format.  This data is available for the Trust to inform direction of services in the future, identify areas of research that will benefit our service user populations and help the auditing of services. The data is further processed and enters a larger database containing anonymous, aggregated information from other NHS partners of Akrivia Health. This pool of data is used to identify possible trends within mental health and inform policy and strategies on a national level.

Is the data safe?

Akrivia Health meet the highest standards required for data storage and the data remains in the UK.  The data is anonymised, upholding safeguarding and privacy of patients.  Project groups who request access to the anonymous data will be examined, to ensure authenticity of projects and data requests.  The aggregated data can be shared between registered and authorised partners in the Akrivia Health Network and industry partners, including approved researchers.

Can service users opt out?

The process will comply with the national data opt-out but also provide a local data opt out specific to Akrivia Health. This can be accessed by sending an email to, where service users can contact for further information or request to be removed from the Akrivia data extract.  This will be communicated via a social media campaign, on the Trust website and through leaflets and posters in waiting areas.

How will this benefit service users?  

Access to useable, long-standing information about service users, is an invaluable resource for the Trust. Allowing us to participate in previously rejected research studies, evaluate services over time and identify evidenced based benefits and improvements.  We can look at disease outcomes and intervention efficacy, allowing us to implement successful interventions much more quickly.

What do service users and clinical staff think?

Support for the implementation of Akrivia Health in the Trust has been enthusiastic from service users and staff involved in initial consultations.

‘This is critical for research in the Trust’

Help from Experts by Experience for Researchers (HEER) group member.


‘I think it is useful, efficient and is an improvement’

Young Persons Advisory Group member.


‘It will impact on how patients use services because new things can be found out about how things are run and what might not be working well’

Young Persons Advisory Group member.


‘The advent of electronic health record systems brings huge potential benefits for individual service users and clinicians. Akrivia allows us to use these existing electronic health systems to benefit the population as a whole. This gives us the ability to use large-scale data to answer complex questions about the population we serve, where we were previously unable to. It is an exciting and innovative opportunity which we are relishing’

Dr George Crowther, Consultant in Old Age Liaison Psychiatry, LYPFT


‘It is impossible to know if you are helping or harming without knowing what has happened to those who used the service before. This is particularly the case for young people using mental health service as there is very little research to guide clinicians. The ability to examine specific aspects of the service we offer to assess if and how it has helped will enable us to improve our service and be responsive to changes in needs in the population we serve. Beyond this it can also help inform and improve services across the country as what is helpful for some maybe helpful for many; informing research trials’

Dr Clare Fenton, Consultant Child and Adolescent Psychiatrist, LYPFT


If you would like to hear more about the Akrivia Health partnership or to find out how it might benefit your service, please get in touch with Zoe Jackson at

Read the official privacy notice in full. 

Opting out of secondary use of your information

The Trust keeps records of the things you tell us and other information about your health and who you are in electronic computer systems. We only use this information to provide you with care, and will not share your information for any other reason unless the law says we must.

Your information can however be used in an anonymous form (with your name, address, and other information which can identify you removed) to help the NHS and the Government plan future healthcare services and carry out medical research. This is known as a “secondary use” of your information

Your Right to Opt Out of Secondary Use

The Government gives you the right to Opt Out of this use of your data. More information on what this means for you, and how to Opt Out is available online.

The UK General Practice Data for Planning and Research scheme (UK-GPDPRS)

In addition to the above, the Government is planning to use information held in GP records to support a wide variety of research and analysis to help run and improve health and care services. This does not affect the information held by the Trust, but we are taking this opportunity to make you aware of this scheme, and to provide you with information on your right to opt out.

More information about the scheme is available online.

To opt out of the use of your data in this way you should complete the “Stop your GP surgery from sharing your data” opt-out form available online.

The Trust Data Protection Officer would be happy to discuss any concerns you may have by using the contact details below:

Carl Starbuck – Data Protection Officer
1st Floor, North Wing, St Marys House
St Martins View
Leeds LS7 3LA