Fair Processing Notice Privacy Notice

Your personal information and what you need to know

Who we are and what we do

Isle of Wight NHS Trust (the Trust) is a Data Controller and our address is:

St Marys Hospital
Newport, Isle of Wight
PO30 5TG

As an integrated acute and ambulance healthcare provider in England, the trust is responsible for delivering your NHS services, including planned and emergency hospital care and ambulance services. 

For more information please refer to our 'About us' page.

For further details regarding our registration as a Data Controller, please visit: Register of data protection fee payers

The NHS aims to provide you with the highest quality of health care. To do this we must keep records about you, your health and the care we have provided, or plan to provide to you.

Health records are held on paper and electronically and we have a legal duty to keep these confidential, accurate and secure at all times in line with Data Protection legislation.

All our staff are trained to handle your information correctly and protect your privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected for direct marketing purposes and is not sold on to any other third parties.

Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care 2016.

Our commitment to data privacy and confidentiality issues

We are committed to protecting your privacy and will only process data in accordance with Data Protection Legislation. This includes the UK General Data Protection Regulation UK GDPR, the Data Protection Act DPA 2018, the Law Enforcement Directive Directive EU 2016/680 LED and any applicable national legislation implementing them as amended from time to time. 

The legislation requires us to process personal and special category data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

In addition, consideration will also be given to all applicable legislation concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care Safety and Quality Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications EC Directive Regulations.

Using your information

We need to use information about our patients and population to enable us to deliver services which meet their needs. In undertaking our role as healthcare provider our Trust holds information about you and this document outlines how that information is used, who we may share that information with, how we keep it secure confidential and what your rights are in relation to this. Within the health sector, we follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare. 

The Trust has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian and contact details are: 

Steve Parker, Medical Director, email: steve.parker@nhs.net
Telephone: 01983 822099 ext. 5366.

The Caldicott Guardian is supported by another senior member of staff who is responsible for information risk and information security, this person is called the Senior Information Risk Owner SIRO and contact details are:

Nikki Turner, Chief Transformation Officer, email: nikki.turner3@nhs.net

The above roles are supported by our Data Protection Officer (DPO). The DPO is responsible for monitoring compliance with Data Protection legislation UK GDPR & DPA 2018, Information Governance IG policies, providing advice and guidance, raising awareness, training and audits. The DPO acts as a contact point for the ICO, employees and the public. They co-operate with the ICO and will consult on any other matter relevant to Data Protection. The contact details of our DPO are as follows:

Email: iownt.dpo@nhs.net
Telephone: 01983 822099 ext. 4091.

The Trust is a Data Controller and is registered with the Information Commissioner’s Office ICO to collect data for a variety of purposes. Our registration number is Z3116597 and a copy of the registration is available through the ICO website: www.ico.org.uk

What kind of information do we use?

As a healthcare provider we need to hold personal information about you and this can be collected from you in a number of ways, for example this could be from referral details from your GP or another hospital or service, directly from you or from your authorised representative. We hold the following personal data as defined within UK GDPR, which includes:

  • Your name
  • Address
  • Telephone numbers
  • Date of birth
  • Emergency or preferred contacts / next of kin details
  • GP details
  • NHS Number

In addition we may also hold your email address, partnership or marriage status, occupation, residential status if you are a patient who is an overseas visitor, place of birth, and preferred name, or maiden name. We may also hold bank account or credit card details for patients when relevant e.g. using private facilities at St. Mary’s Hospital.

CCTV is used throughout trust buildings and on some trust vehicles for the following purposes:

  • To assist in the prevention and detection of crime against both persons and property.
  • To facilitate the identification, apprehension and prosecution of offenders in relation to crime.
  • To ensure the security and safety of our patients, employees and property belonging to the Trust

All areas where CCTV is in operation are clearly signposted and include contact details of the organisation holding responsibility.

Ambulance staff also wear ‘body worn cameras’ for clinical purposes but also for the same purposes as listed in the first three bullet points above. Wherever possible staff will advise individuals when body worn cameras are in operation.

In addition to the above, we hold ‘special category data’ as defined within GDPR which may include:

  • Health records
  • Your religion
  • Race and ethnic origin
  • Genetic and biometric data
  • Sex life or orientation

We also hold the following types of data:

  • Confidential Information – this term describes data about identified or identifiable individuals which must be kept private and includes records of the deceased as well as living people. ‘Confidential’ includes information that is ‘given in confidence’ and ‘that which is owed a duty of confidence’.
  • Pseudonymised - this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.
  • Anonymised – this is data about individuals but with identifying details removed so that there is little or no risk of the individual being re-identified.
  • Aggregated - anonymised information that is grouped together so that it doesn't identify individuals.

What do we use your personal and special category data for?

  • To produce a record of all health decisions made about you and the care provided to you which may involve clinical, support and administrative staff.

  • To respond to your queries, compliments or concerns.

  • For assessment and evaluation of safeguarding concerns.
  • Where there is a provision permitting the use of confidential personal information under specific conditions, for example to ensure that the Trust is paid accurately for the treatment of its patients, which is known as invoice validation.
  • Clinical audit - further information is found at: https://www.england.nhs.uk/clinaudit/
Personal and special category data could also be used in the following cases:
  • We need to respond to patients, carers or Member of Parliament communications.
  • You have freely given your informed agreement consent for us to use your information for a specific purpose.
  • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
  • There is a legal requirement that will allow us to use or provide information e.g. a Court order.
  • To help teach and train new members of staff.

Health Research

The Trust has a very active and nationally recognised research department. The majority of the care you receive in hospital has come about as the result of clinical research. High quality clinical research means the NHS can improve future healthcare for everyone. The clinical research team including research nurses, within the Trust will identify if you are eligible for a particular research study, and then the research team will contact you to obtain your consent. All information collected for research purposes will be de-identified before the results are published.

All research undertaken at the Trust is governed by the Health Research Authority. Read about how your information is used in research.

In England if you do not wish for your information to be used for research you can register your choice to ‘opt out’.


The Trust provides the opportunity for learning and development of all students. They are valuable in growing and sustaining our future workforce and allows them to learn all the skills they need to obtain their qualification and enter the workplace. We support students across all fields within the NHS and from a variety of programmes.

A number of the students are between 16 to18 years old but robust due diligence exercises are undertaken with the students to ensure they understand the importance of patient confidentiality. This includes completing Information Governance training and signing honorary contracts and learner agreements.

What do we use non-identifiable data for?

We use pseudonymised, anonymised, and aggregated data to plan health care services. Specifically we use it to:

  • Check the quality and efficiency of the health services we provide.
  • To help improve the quality of services for patients and ensure that the right treatment is being provided to patients - for further information visit: NHS England
  • Prepare performance reports on the services we provide
  • Review the care being provided to make sure it is of the highest standard
  • To help teach and train new members of staff
  • To keep track of NHS spending.

Do we share your information with other organisations?

We will share your information with other organisations to assist with providing you with the best care possible. This will typically be your GP Practice as well as other NHS organisations and Care Homes. Some services within the Trust use the electronic patient record system, SystmOne which is also the system that all Isle of Wight GP Practices use. This allows the systems to share information with one another to ensure that both your GP record and your hospital record contain the most up to date and relevant health information about you. You will be advised of this element of sharing by the relevant clinician and can decline for information to be shared.

Other organisations who receive information from the Trust have a legal duty to keep it confidential and secure. Only information that is required and appropriate to support your care and treatment will be provided. Where we share your information with other organisations that do not form part of your care, permission from yourself will be obtained before sending the information unless we have a legal obligation to provide the information or we are required to do so because the interest of the public is considered to be of greater importance.

There are occasions where we have a legal duty to share patient information with external organisations which operate to oversee and address issues relating to the management of the NHS as a whole. These may include the following, the list is not exhaustive:

  • The Central Registrar of Births and Deaths
  • Notification of infectious diseases including Food Poisoning are reported to Public Health England.
  • The Care Quality Commission which has the powers of inspection and access to required documentation.
  • Investigations by regulators of professionals e.g. General Medical Council and the Nursing and Midwifery Council.
  • Coroner’s investigations into the circumstances of a death.
  • Reports of deaths, major injuries and accidents to the Health and Safety Executive.
  • Information to the Police or other agency when required by law.
  • For safeguarding children or vulnerable adults.
  • To protect your vital interests, your data may be shared in an emergency
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.

The Trust hold contracts with other organisations who process data on our behalf Data Processors in order to deliver healthcare. We ensure that these Data Processors are legally and contractually bound to operate within agreed security arrangements, and evidence that these are in place where data that could or does identify an individual are processed. 

In addition, we may share information outside of the European Economic Area EEA in accordance with the UK GDPR.

Coded information about patient care is sent to NHS England who manage information sent to the Department of Health & Social Care. This information is used to review the treatment provided to patients across the NHS and identify trends/changes in the health of the population.

A full list of details including the legal basis, key Data Processor involvement and the purposes for processing information can be found in Appendix A.

What safeguards are in place to ensure data that identifies you is secure?

The NHS England Code of Practice on Confidential Information applies to all Trust staff and anyone acting on behalf of the Trust.   They are all required to protect your information, inform you of how your information will be used, and in certain circumstances allow you to decide if and how your information can be shared. In addition all staff are required to ensure that information is kept confidential and must undertake annual Data Security Awareness training on how to do this. This is monitored by the Trust and can be enforced through disciplinary procedures.

We also ensure that the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption which codes data so that unauthorised users cannot see or make sense of it.

How long do we hold information for?

All records held by the Trust will be kept for the duration specified by national guidance from NHS England, Health and Social Care Records Code of Practice 2016. Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way dependent upon the type of information it is.  Personal confidential and commercially sensitive information will be disposed of by approved and secure confidential waste procedures.

Your right to opt out of data sharing and processing

The NHS Constitution states ‘You have a right to request that your personal and confidential information is not used beyond your own care and treatment and to have your objections considered’. For further information please visit:


The national data opt-out was introduced on 25 May 2018, enabling patients to opt-out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

By 2020 all health and care organisations are required to apply national data opt-outs where confidential patient information is used for research and planning purposes. NHS England has been applying national data opt-outs since 25 May 2018. Public Health England has been applying national data opt-outs since September 2018.

The national data opt-out replaces the previous ‘type 2’ opt-out, which required NHS England not to share a patient’s confidential patient information for purposes beyond their individual care. Any patient that had a type 2 opt-out recorded on or before 11 October 2018 has had it automatically converted to a national data opt-out. Those aged 13 or over were sent a letter giving them more information and a leaflet explaining the national data opt-out.  For more information visit: www.nhs.uk/your-nhs-data-matters

Lawful basis for processing your data

Your rights under Data Protection legislation.

Under the GDPR the Trust has a legal basis for processing patient information without consent, e.g. clinicians consulting with each other about your care needs within the Hospital. The legal justification for this is documented below:

Article 6 1 e: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Article 9 2 h: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to below.

Communicating about your care within the NHS does not require your consent to process your personal data to deliver your healthcare and treatment. However, an individual has the right to object to the processing of their information for purposes other than direct care e.g. performance management of services, external clinical audits - see above section.

It is your choice whether you want your confidential information to be used in this way.  If you are happy with this use of information you do not need to do anything. If you do choose to opt out of your information being used in this way, your confidential patient information will still be used to support your individual care.

The Data Protection legislation provides you with the following rights:

  • Right of Access - Request access to the personal data we hold about you, e.g. health records. The way in which you can access your own health records is explained in more detail in our ‘access to records’ section on our Requesting Information page.
  • Right to Rectification - Request the correction of inaccurate or incomplete information recorded in your health records. This is also explained in our 'Access to records’ section.
  • Right to Erasure right to be forgotten - This is not an absolute right and does not apply when an organisation’s legal basis for processing is the performance of a task carried out in the public interest or the exercise of official authority - please see above section.
  • Right to Restrict Processing - This applies when you contest the accuracy of your personal data and usually only restricts processing whilst we ascertain whether another right applies.
  • Right to Data Portability - This is not an absolute right and does not apply when an organisation’s legal basis for processing is the performance of a task carried out in the public interest or the exercise of official authority - please see above section.
  • Right to Object to Processing - This is not an absolute right but you can object on the basis of processing in the performance of a task carried out in the exercise of our official authority. However, this request may not always be met if we can demonstrate compelling legitimate grounds for the processing which override the interests and rights and freedoms of the individual.
  • Rights related to automated decision making including profiling - This is you right to challenge any decisions made without human intervention automated decision making.

If you'd like to make a request for personal information for a living individual this can be made as a Subject Access Request under UK General Data Protection Regulations and the Data Protection Act 2018. Please make the request online by using our secure  Request for Information Portal.

If you are unable to use the Request for Information Portal, please contact the Data Subject Rights Team:

Information Governance Department
Isle of Wight NHS Trust
Newport, Isle of Wight
PO30 5TG

Telephone: 01983 822099 ext. 4091
Email: iownt.dsr@nhs.net

For access to health records of deceased individuals the Access to Health Records 1990 must be applied. Please use our Request for Information Portal to submit your request.

Requesting non-personal information

The Freedom of Information Act 2000 FOIA gives individuals a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector. You can request any information that the Trust holds, that does not fall under an exemption. This does not include information that is covered by Data Protection Legislation.  However you can request this under a right of access request – see section above.

You can make the request online by using our secure Request for Information Portal.

By using the portal you can log a request, view outstanding requests, access files, and answer any questions relating to your request.

Click 'Get started online', then follow the instructions to setup your account, or log in if you have an existing account.

When making your request, please ensure the correct form is selected, this will help the team process your request effectively.

If you need help, refer to the Request for Information Portal guide.

Your request must be in writing and can be either emailed or posted to:

Alternatively, you can email: iownt.freedomofinformation@nhs.net

Complaints or concerns

If you have a complaint or concern about how we have handled your personal data, please contact our Data Protection Officer who will address your concerns and investigate the matter further.

For independent advice about data protection, privacy, data sharing issues and your rights you can contact:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113 or local rate: 01625 545 745
Email: Request for Information Portal
Visit the ICO website. Request for Information Portal

Cookies and other tracking technologies

Our analytics provider uses technologies such as cookies, beacons, tags and scripts, to analyse trends, administer the website, track users’ movements around the website, and gather demographic information about our website visitors as a whole. A cookie is a small file stored on your computer by a website which gives you a numeric user ID and stores certain information about your activity on the site. We use cookies to let us know that you are a returning visitor and to provide certain features to you. Most web browsers automatically accept cookies, but most allow you to instruct your browser to prevent the use of cookies. If you disable this feature, you will not experience any functionality problems with our website.

Use of email and SMS text

Some services in the Trust now provide the option to communicate with patients via email and SMS text. Please be aware that the Trust cannot guarantee the security of this information whilst in transit, and by using this service you are accepting this additional risk.

Any emails sent by Trust staff for the purpose of your healthcare which contain your personal information are appropriately protected by NHS Security Standards including encryption where required.  More information can be found at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment

Links to other websites

This privacy notice does not cover the links included within this notice linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This Privacy Notice was last updated in December 2023.

If you would like to submit any comments or feedback regarding our Privacy Notice please email these to: iownt.informationgovernance@nhs.net

Appendix A:



GP Referral Review

Purpose – To process your GP referral via the Trusts Electronic Referral System ERS which will include personal information as well as special category data health information regarding your referral. Medefer will be provided with any relevant tests and clinical letters in relation to your referral either by the GP directly or by accessing the Trust’s electronic patient records. Medefer will then contact you regarding your referral and provide you with further information of how your referral will be progressed. 

Legal Basis - UK GDPR Art. 6 1 e and Art.9 2 h.  

Data Controller/Processor – The Trust use a company called Medefer for which we have an NHS contract in place. For the purpose of the contract the Isle of Wight NHS Trust and Medefer are joint data controllers. For further details please visit Medefer’s website https://www.medefer.com/


Purpose – To deliver a Dermatology service. 

Legal Basis for processing - UK GDPR Art. 6 1 e and Art.9 2 h. 

Data Controller/Processor – The contract for Dermatology services is sub contracted by the Trust to Lighthouse Medical Limited. This service is provided by Lighthouse Medical Limited who are the data processor. The Isle of Wight NHS Trust remains the Data Controller.

Confidential Waste Services

Purpose – To destroy confidential waste. 

Legal Basis for processing – UK GDPR Art 6 1 e and 9 2 h. 

Data Processor/Controller – The Trust have a contract in place with Restore Data Shred who are the Data Processor.  The Isle of Wight NHS Trust remains the Data Controller.

Mental Health Wellbeing Service

Purpose – Provision of mental health wellbeing services. 

Legal Basis for processing – UK GDPR Art. 6 1 e and Art.9 2 h.  

Data Processor/Controller – Isorropia Foundation CIS are the data processor and the Isle of Wight NHS Trust remains the data controller.

Autism Assessment Service

Purpose – To provide a choice of provider for Adults Autistic Spectrum Disorder ASD assessments. 

Legal Basis for processing – UK GDPR Art. 6 1 e and Art.9 2 h. In addition, the Trust asks for consent to share your data with Healios to satisfy the common law duty of confidentiality. 

Data Processor/Controller – We have a contract in place with Healios to provide this service and they act as the data processor and the Isle of Wight NHS Trust remains the data controller.

Mental Health Crisis Out of Hours Service

Purpose – To provide an out of hours service for individuals experiencing mental health crisis. 

Legal Basis for processing – Contact to Two Saints Ltd is made by yourself however data may be shared with the Trust under UK GDPR Art.  6 1 e and Art.9 2 h.  

Data Processor/Controller – We have a contract in place with Two Saints Ltd to provide this service and they act as the data processor and the Isle of Wight NHS Trust remains the data controller.

Cognitive Behaviour Therapy CBT Service - Online

Purpose – To provide a step 3 high intensity therapy to specific patients by way of referral to IESO.

Legal Basis for processing – UK GDPR Art. 6 1 e and Art.9 2 h.  

Data Processor/Controller – The Isle of Wight NHS Trust remains the data controller and IESO are the data processor. We have a contract in place with IESO.


Purpose – To provide an Audiology service. 

Legal Basis for processing - UK GDPR Art. 6 1 e and Art.9 2 h. 

Data Controller/Processor – Audiology services are delivered by Portsmouth Hospitals Trust PHT who are the data controller. The service is however delivered at the Isle of Wight Trust to provide localised delivery to individuals on the Isle of Wight.

Renal Dialysis

Purpose – To provide a Renal Dialysis service.

Legal Basis for processing - UK GDPR Art. 6 1 e and Art.9 2 h.  

Data Controller/Processor – Renal Dialysis services are delivered by Portsmouth Hospitals Trust PHT who are the data controller. The service is however delivered at the Isle of Wight Trust to provide localised delivery to people on the Isle of Wight.

Sexual Health Services

Purpose – To provide a sexual health service. 

Legal Basis for processing - UK GDPR Art. 6 1 e and Art.9 2 h.

Data Processor/Controller – The sexual health service is provided and delivered by Solent NHS Trust who is the Data Controller. The service however is based at the Isle of Wight Trust.

Primary Care Out of Hours Service

Purpose – To provide a definitive clinical assessment process for a primary care out of hours service to ensure patients are managed and triaged appropriately. 

Legal Basis for processing - UK GDPR Art. 6 1 e and Art.9 2 h.

Data Controller/Data Processor – The service is contracted out to Partnering Health Limited PHL who act as our data processor. The Isle of Wight NHS Trust remains the Data Controller.

Legal Services

Purpose – To provide legal services to the Trust such as litigation. 

Legal Basis for processing - UK GDPR Art 6 1 e and Art 9 2 f. We have a contract in place with Bevan Brittan.

Data Controller/Data Processor - We have a contract with Bevan Brittan to deliver legal services to the Trust, who act as our data processor. The Isle of Wight NHS Trust remains the Data Controller.


Purpose – To provide internal/external auditors to the Trust 

Legal basis – UK GDPR Art 6 1 e. We have a contract in place with Ernst Young and TIAA to carry out internal/external audits.

Data Processor/Controller  The Isle of Wight NHS Trust is the data controller and Ernst Young and TIAA are the data processor.

Additional Ambulance Services/Support

Purpose – To provide additional ambulance services/support during Covid 19.

Legal Basis – UK GDPR 6 1 e and Art 9 2 h. We have a contract in place with Medi4 and FestiMed. 

Data Controller/Processor – The Isle of Wight NHS Trust is the data controller and Medi4 and FestiMed are data processors.

COVID 19 Pandemic Response Support – Health Services

Purpose – To provide COVID 19 pandemic response support for health care services.  

Legal Basis for processing - UK GDPR Art. 6 1 e and Art.9 2 h.

Data Processor/Controller – NHS England have a contract in place with Care UK Portsmouth and Southampton to deliver health services to the Trust in response to the COVID 19 pandemic. The Isle of Wight NHS Trust acts as a joint data controller with Care UK.

Neurology UHS

Purpose - Booking of Neurology patients to follow slots at the Isle of Wight NHS Trust.

Legal Basis for processing – UK GDPR Art 6 1 e and Art 9 2 h.

Data Processor / Controller - University of Hospital Southampton is the Data Processor and the Isle of Wight NHS Trust is the Data Controller.

Text messaging service

Purpose - Patients attending Outpatient appointments receive a reminder text message prior to their appointment.

Legal Basis for processing - UK GDPR Art 6 1 e and Art 9 2 h. You can opt out from receiving text messaging reminders by contacting the Outpatients department (detailed in your appointment letter) and this will be recorded on your patient record. 

Data Processor/Controller- Healthcare Communications Ltd is the Data Processor and the Isle of Wight NHS Trust is the Data Controller. 

Backlogs Limited - Referred histology samples

Purpose – To receive and report histology samples during periods of high work load. 

Legal Basis for processing – UK GDPR Art 6 1 e and Art 9 2 h. We have a contract in place with Backlogs Ltd. 

Data Processor/Controller – The Isle of Wight NHS Trust is the data controller. Backlogs Limited is the data processor.

Child Immunisations

Purpose – The Child immunisation service has been delivered by Solent NHS Trust since 1st August 2020. However the Trust will continue to share relevant information with Solent via the Trusts PARIS system for continuity of care. 

Legal Basis for Processing - UK GDPR Art 6 1 e and Art 9 2 h.

Data Processor/Controller – Solent NHS Trust is the Data Controller for all Child Immunisations/Vaccinations that they are responsible for.

Rapid Diagnostic Service

Purpose – To manage and assess suspected cancer patients via the Trusts E Care Logic system. 

Legal Basis for Processing – UK GDPR Art 6 1 e and Art 9 2 h.

Data Processor/Controller – The Isle of Wight NHS Trust remains Data Controller however the RDS is delivered by University Hospital Southampton on behalf of the Wessex Cancer Alliance who maintains a record of the actions they have undertaken on patients referred to them. They are therefore also Data Controllers.

Mental Health Support Teams

Purpose – The Mental Health Support Teams Project is a new National partnership project funded by NHS England to support Children and Young People with mild to moderate Mental Health needs. It is born out of the Governments Green Paper ‘Transforming Young People’s Mental Health provisions’ set up to address the mental health needs of CYP and reduce health inequalities by joining up mental health and education providers. 

Legal Basis for Processing – UK GDPR Art 6 1 e and Art 9 2 h.

Data Controller – Isle of Wight NHS Trust are the lead provider however are joint controllers with the IW Youth Trust and Barnardo’s Isle of Wight.