Privacy notice

Collecting, using and keeping your information secure – the key points

We collect information about you to help provide you with the best possible inpatient care.

  • Learn more about how data may be processed in response to COVID-19;
  • We share your information with private consultants involved in your treatment in order to allow them to provide you with the best possible care.
  • We also collect and process your financial information or that of or the company or individual responsible for the payment of invoices or bills relating to your care.
  • We may share your medical information with sponsors or insurers of your care, so that they can ensure that payment for your care is accurate and appropriate.
  • We have a legal duty to keep your information secure. We have regular audits and independent reviews to make sure that we do.
  • We share your information with other health and social care organisations involved in your care.
  • We also use your information in planning, service improvements and medical research. For research, we remove any information that identifies you personally.
  • We use other organisations to help us process your information – we ensure that your information is also handled securely by them, including when they are based outside of the UK.
  • We will only use your information for these reasons if it is lawful.
  • For most patients information is retained for a minimum of eight years from when you were last seen.
  • You can request access to the information we hold about you and you can ask us to correct any errors.

You can find out more by visiting our website www.imperial.nhs.uk/privacy

Our Data Protection Officer is Philip Robinson, you can contact him at:
8th Floor Salton House, ICT Division, St Mary’s Hospital, Praed St, London W2 1NY
Email: imperial.dpo@nhs.net Telephone: 020 370 48355

If you want to request access to the information that we hold about you, please email: imperial.accesstohealthrecords@nhs.net

Imperial College Healthcare NHS Trust is a registered data controller under the Information Commissioner’s Office. You can contact the Information Commissioner’s Office at:

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: www.ico.org.uk/concerns Telephone: 0303 123 1113

Information Pertaining to Data Processing in Response to COVID-19

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main IPH Privacy Notice which is available below.

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s-Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk here and some FAQs on this law are available here.

During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.

It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak. (be more specific or more informational) (our FOI page is here / our SAR Procedures are here)

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing, most likely via ‘Attend Anywhere’ or ‘Clinic.co’. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

Given the fast-changing, unpredictable nature of the climate in which we are operating, we may be required to amend this privacy notice at any time. We would therefore kindly advise you to review this notice frequently.

Collecting, using and keeping your information secure

Why do you collect my information?

We collect information about you to help us provide you with the best possible care. The information we collect includes your name, date of birth, NHS number, contact details and notes and correspondence about your health and care.

This information also helps us to plan and improve our services and contributes to medical research. For research purposes, we remove any information that identifies you personally.

We collect your financial information, or that of the company or individual responsible for payment of the bills and invoices associated with your care (namely you, your insurer or your sponsor), in order to process payment information to fulfil our contract with you.

What are your legal duties as an NHS Trust and private healthcare provider?

The law allows us to use your information for your care, for service improvement and for research. We are bound by the General Data Protection Regulation to use your information fairly and lawfully.

In certain circumstances, there may be other reasons why we would use your information – for example, to share information with the police in order to prevent a serious crime – but it will always be in line with our legal duty.

Will my information be shared with anyone else?

We share your information with other health and social care organisations involved in your care. In turn, health and social care organisations involved in your care share your information with us.

We share your information with private consultants involved in your care. These private consultants are considered to be discrete data controllers in providing care services in parallel to the Trust.

We may share your medical information with sponsors or insurers of your care, so that they may ensure that payment for your care is accurate and appropriate. This is so that they may audit these records to ensure that the payments for private healthcare services are accurate and appropriate to the services received.

We share your information with other NHS organisations to contribute to planning or service improvements.

We share with our research partners to undertake medical research. For these purposes, we remove any information that identifies you personally.

We use other organisations to help us process your information, for example to run our electronic patient records system. The information can only be used in the way that we instruct them to use it.

How is my information kept secure?

We have a legal duty to keep your information secure. Our staff undertake annual training about information security and we have regular audits and independent reviews to make sure that we do keep your information safe. We use other organisations to help us process your information. We make sure these organisations also comply with their legal obligations to keep your information secure, including when they are based outside of the UK.

How long will you keep my information?

Medical information is retained for a minimum of eight years from when you were last seen for most patients. For some types of information, we retain the information a longer period. For example, maternity and children’s records must be retained for at least 25 years.

Records of financial transactions will be held for a minimum of six years. The retention period for debtor records is contingent on their being cleared. Once cleared, such records will be retained for a minimum of two years.

What are my rights regarding my information?

You have the right to request a copy of the information that we hold about you – this is called a ‘subject access request.’ We will provide this on paper or electronically within one month of your request in most cases.

If the information that we hold about you is incorrect, you have the right to have it corrected.

More information and contacts

You can find out more by visiting our website www.imperial.nhs.uk/privacy

Our Data Protection Officer is Philip Robinson, you can contact him at:

8th Floor Salton House, ICT Division, St Mary’s Hospital, Praed St, London W2 1NY
Email: imperial.dpo@nhs.net Telephone: 020 370 48355
If you want to access the information that we hold about you, please email: imperial.accesstohealthrecords@nhs.net

Imperial College Healthcare NHS Trust is a registered data controller under the Information Commissioner’s Office.

You can contact the Information Commissioner’s Office at:

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: www.ico.org.uk/concerns Telephone: 0303 123 1113

Will my information be shared with anyone else?

1. We share your information with other health and social care organisations directly involved in you care. We will always have a legal agreement in place with these organisations and ensure that your information will be held securely:

  • NHS organisations involved in your case – we share your information with other NHS trusts, GP surgeries and other care providers involved in your treatment.
  • Non-NHS health and social care professionals – we share your information with local authorities, social workers and private consultants concerned with your care. Our aim is to ensure that other health and social care providers have access to information that supports your care. Your data may be shared with agents of private consultants – namely private medical secretaries – in the course of this process.

2. We share your information with organisations involved in planning and improving your care. We provide anonymised information or require legal justification if they request information that may identify you.

  • NHS bodies – your information may be requested by NHS bodies concerned with the planning and commissioning of healthcare services, such as, clinical commissioning groups
  • Regulatory, audit and inspection bodies – these organisations are concerned with regulating aspects of care and deciding where improvements may be made.

3. We share your information with private consultants involved in your care. These private consultants are considered to be discrete data controllers where providing outpatient care services, with Imperial College Healthcare NHS Trust offering a venue through which to provide this service. This differs from inpatient care, where the Trust remains the data controller of your information.

4. We may share your information with insurers and other possible sponsors (such as charities and embassies) to allow audit of your medical records to ensure that the payments for private healthcare services are accurate and appropriate to the services received.

4. Imperial Private Healthcare subscribes to a voluntary scheme, providing independent adjudication on complaints about the service provided to its patients. Any referrals to this body will be contingent on your documented consent as a patient of Imperial Private Healthcare.

5. In some situations, we use other organisations to help us process your information to help us deliver your care. We will always have a legal agreement in place with these organisations which ensures that they can only use your information as we instruct.

6. We undertake much of our research in partnership with other organisations, in particular with Imperial College London as we jointly run one of the largest biomedical research centres in England. All research with or about our patients has to be ethically approved. In order to achieve more impact, researchers may need to link your health information to other data held about you elsewhere, such as the statistics about hospital attendance collected by NHS England. However, researchers can only use your information in the way we have permitted in advance.

We will not provide researchers with information that identifies you personally, unless you have provided explicit, informed consented to this or there is legal justification to provide this information.

What information about me stored elsewhere is shared with you?

If you are already a patient of ours, we will be able to view your ‘summary care record’. This is an electronic record of key information created from your GP records. This is made available to health professionals involved in your care and as a minimum includes your: name; address; date of birth; NHS number; any allergies and current medication.

Apart from the summary care record, other NHS organisations involved in your care may share information with us to help us care for you.
We are involved in research initiatives that involve patient information from other NHS trusts. If you are not a patient of Imperial College Healthcare NHS Trust, we will not receive your identity or contact details unless you have consented to this or there is legal justification for us to be provided with this information.

How is my information handled safely?

We have a legal duty keep your information secure. Our staff undertake annual training about information security and we have regular audits and independent reviews to make sure that we do keep your information safe.

We use other organisations to help us process your information. We make sure these organisations also comply with their legal obligations to keep your information secure, including when they are based outside of the UK. These organisations can only use your information in the way that we have instructed and they will never sell your personal information for profit.

Collecting, using and keeping your information secure

What information do you collect?

Imperial Private Healthcare is a constituent body of Imperial College Healthcare NHS Trust, which is a registered data controller under the Information Commissioner’s Office.
Imperial College Healthcare NHS Trust provides acute and specialist care in five hospitals (Charing Cross, Hammersmith, Queen Charlotte’s and Chelsea, St Mary’s and Western Eye) and a growing number of community services in North West London. When you attend one of our hospitals or services, information is recorded about you on paper and electronically. This includes details about:

  • your identity – name, date of birth, NHS number
  • how to contact you – address, telephone, email address
  • your ‘next of kin’ – a close relative or friend
  • your financial information, or the information of the company or individual responsible for the payment of bills and invoices relating to your care
  • A&E visits, hospital admissions or clinic appointments
  • scans, X-rays or tests
  • your diagnosis or treatment
  • any allergies or health conditions
  • information about your nationality and entitlement to treatment in the UK

Any information that identifies you personally is known as ‘personal data’. We collect this personal data to build your health record. These records are collected and used by our staff to help them provide your care.

Under data protection law, we are the ‘data controller’ of the information we hold about you and we are responsible for determining how it will be used to perform our legal duty. We are registered with the Information Commissioner’s Office as a data controller. Click here to see the Trust’s certification.

Why do you collect my information?

1. We want to provide you with the best possible care. Accurate and up-to-date information allows:

  • doctors, nurses and other healthcare professionals to decide the best possible treatment for you. This includes private consultants and related agents (such as private medical secretaries) who support your care.
  • insurers and other possible sponsors (such as charities and embassies) to audit your medical records to ensure that the payments for private healthcare services are accurate and appropriate to the services received.
  • us to process and receive payment for the provision of private healthcare services to you as a patient of Imperial Private Healthcare.
  • us to review and improve the quality of our care and services.
  • your care to be continued safely if you are seen by clinicians in another of our services or hospitals or in a partner health and care organisation.
  • your concerns to be properly investigated if you want to raise a concern or make a complaint.

2. We share your information with other NHS organisations to contribute to planning or service improvement. The collection of NHS statistics allows those organisations to plan for the future and ensure that the needs of patients are met nationwide.

3. We use your information in medical research undertaken by our staff or one of our research partners. This helps researchers to understand how to diagnose illnesses earlier and to develop new treatments. We aim to apply research discoveries to healthcare as quickly as possible in order to improve the lives of our patients and the wider population. Researchers will not be allowed to use information that identifies you personally – such as your name, address and contact details – unless you have given explicit, informed consent.

What are your legal duties as an NHS Trust and private healthcare provider?

Providing you with care
We exercise our official authority under the National Health Service and Community Care Act 1990 by collecting, using and, if necessary, sharing your information in order to provide you with care.

Data protection legislation allows us to use your information in order to carry out our official authority as an NHS Trust.

Service improvement and planning
We share your information with NHS England and other central NHS organisations because they hold official authority under the NHS Act 2006.

Most of the time, they will request information that has been anonymised – where your personal details such as your contact information have been removed. If they request your personal information, they will provide us with an additional legal justification.

Transparency on quality and outcome of private healthcare
As part of a UK-wide, government-mandated programme to improve the public’s access to information on the quality and outcome of private healthcare, we share some of your personal data with the Private Healthcare Information Network (PHIN). This is processed by PHIN to measure quality of care and outcomes. Processing is necessary in order to comply with legal obligation under the Competition and Market Authority’s Private Healthcare Market Investigation Order 2014.

Medical research
Improving medical diagnosis and treatment is in the interest of communities and public health. Research undertaken by the Trust, other NHS organisations or universities is lawful because we are acting within the capacity of a public authority and performing research in the public interest.

Research sponsored by commercial companies or charitable organisations is lawful because it is within our legitimate interests as an NHS Trust to conduct this research and we will always consider how it affects your right as an individual.

Other situations
There are some situations where staff are legally required to pass on information. For instance, they will have to share information to register a birth or they may share information with the police in order to prevent a serious crime.

This table shows the legal grounds for the different purposes for using your data.

PurposeLegal Grounds
Providing you with careNational Health Service and Community Care Act 1990, s5

General Data Protection Regulation Article 6 (1) (e) and Article 9 (2) (h)

Payment or insurance information, and the transfer of medical information to the insurer or sponsor of your careGeneral Data Protection Regulation Article 6 (1) (b)
Service improvement and planningNHS Act 2006
General Data Protection Regulation Article 6 (1) (e) and Article 9 (2) (h)
Medical researchGeneral Data Protection Regulation Article 6 (1) (e) and Article 9 (2) (g), (i) & (j)
General Data Protection Regulation Article 6 (1) (f) and Article 9 (2) (g) (i) & (j)
Transparency on quality and outcome of private healthcareGeneral Data Protection Regulation Article 6 (1) (c)
Independent Complaints AdjudicationGeneral Data Protection Regulation Article 6 (1) (a)
Other situationsGeneral Data Protection Regulation Article 6 (1) (c)

How long do you keep my information?

The Trust complies with the Information Governance Alliance: ‘Records Management Code of Practice for Health and Social Care 2016.’ We will retain your information for as long as necessary to provide you with safe and effective care.

We will set a retention period for our research partners and any organisations that help us to provide your care. They must delete or return your information as soon as the purpose for which it was provided is fulfilled.

Records of financial transactions will be held for a minimum of six years. The retention period for debtor records is contingent on their being cleared. Once cleared, such records will be retained for a minimum of two years.

What are my rights regarding my information?

You have the right to know how we are using your information.

  • You have the right to request a copy of the information we hold about you – on paper or electronically. This is called a ‘subject access request’ and we will provide you with this information within one month in most cases. Because of the amount of information we hold about you, it would greatly help our staff if your request was as specific as possible. If you make multiple requests for paper copies, we may charge you a small fee for postage and packaging.
  • If the information we hold about you is incorrect you have the right to have this corrected.

Why do information do you collect?

Imperial Private Healthcare is a constituent body of Imperial College Healthcare NHS Trust, which is a registered data controller under the Information Commissioner’s Office.

Imperial College Healthcare NHS Trust provides acute and specialist care in five hospitals (Charing Cross, Hammersmith, Queen Charlotte’s and Chelsea, St Mary’s and Western Eye) and a growing number of community services in North West London. When you attend one of our hospitals or services, information is recorded about you on paper and electronically. This includes details about:

  • your identity – name, date of birth, NHS number
  • how to contact you – address, telephone, email address
  • your ‘next of kin’ – a close relative or friend
  • your financial information, or the information of the company or individual responsible for the payment of bills and invoices relating to your care
  • A&E visits, hospital admissions or clinic appointments
  • scans, X-rays or tests
  • your diagnosis or treatment
  • any allergies or health conditions
  • information about your nationality and entitlement to treatment in the UK

Any information that identifies you personally is known as ‘personal data’. We collect this personal data to build your health record. These records are collected and used by our staff to help them provide your care.

Under data protection law, we are the ‘data controller’ of the information we hold about you and we are responsible for determining how it will be used to perform our legal duty. We are registered with the Information Commissioner’s Office as a data controller. Click here to see the Trust’s certification.

Why do you collect my information?

1. We want to provide you with the best possible care. Accurate and up-to-date information allows:

  • doctors, nurses and other healthcare professionals to decide the best possible treatment for you. This includes private consultants and related agents (such as private medical secretaries) who support your care.
  • insurers and other possible sponsors (such as charities and embassies) to audit your medical records to ensure that the payments for private healthcare services are accurate and appropriate to the services received.
  • us to process and receive payment for the provision of private healthcare services to you as a patient of Imperial Private Healthcare.
  • us to review and improve the quality of our care and services.
  • your care to be continued safely if you are seen by clinicians in another of our services or hospitals or in a partner health and care organisation.
  • your concerns to be properly investigated if you want to raise a concern or make a complaint.

2. We share your information with other NHS organisations to contribute to planning or service improvement. The collection of NHS statistics allows those organisations to plan for the future and ensure that the needs of patients are met nationwide.

3. We use your information in medical research undertaken by our staff or one of our research partners. This helps researchers to understand how to diagnose illnesses earlier and to develop new treatments. We aim to apply research discoveries to healthcare as quickly as possible in order to improve the lives of our patients and the wider population. Researchers will not be allowed to use information that identifies you personally – such as your name, address and contact details – unless you have given explicit, informed consent.

Will my information be shared with anyone else?

  1. We share your information with other health and social care organisations directly involved in you care. We will always have a legal agreement in place with these organisations and ensure that your information will be held securely:
    • NHS organisations involved in your case – we share your information with other NHS trusts, GP surgeries and other care providers involved in your treatment.
    • Non-NHS health and social care professionals – we share your information with local authorities, social workers and private consultants concerned with your care. Our aim is to ensure that other health and social care providers have access to information that supports your care. Your data may be shared with agents of private consultants – namely private medical secretaries – in the course of this process.
  1. We share your information with organisations involved in planning and improving your care. We provide anonymised information or require legal justification if they request information that may identify you.
    • NHS bodies – your information may be requested by NHS bodies concerned with the planning and commissioning of healthcare services, such as, clinical commissioning groups
    • Regulatory, audit and inspection bodies – these organisations are concerned with regulating aspects of care and deciding where improvements may be made.
  1. We share your information with private consultants involved in your care. These private consultants are considered to be discrete data controllers where providing outpatient care services, with Imperial College Healthcare NHS Trust offering a venue through which to provide this service. This differs from inpatient care, where the Trust remains the data controller of your information.
  2. We may share your information with insurers and other possible sponsors (such as charities and embassies) to allow audit of your medical records to ensure that the payments for private healthcare services are accurate and appropriate to the services received.
  3. Imperial Private Healthcare subscribes to a voluntary scheme, providing independent adjudication on complaints about the service provided to its patients. Any referrals to this body will be contingent on your documented consent as a patient of Imperial Private Healthcare.
  4. In some situations, we use other organisations to help us process your information to help us deliver your care. We will always have a legal agreement in place with these organisations which ensures that they can only use your information as we instruct.
  5. We undertake much of our research in partnership with other organisations, in particular with Imperial College London as we jointly run one of the largest biomedical research centres in England. All research with or about our patients has to be ethically approved. In order to achieve more impact, researchers may need to link your health information to other data held about you elsewhere, such as the statistics about hospital attendance collected by NHS England. However, researchers can only use your information in the way we have permitted in advance.

We will not provide researchers with information that identifies you personally, unless you have provided explicit, informed consented to this or there is legal justification to provide this information.

What information about me stored elsewhere is shared with you?

If you are already a patient of ours, we will be able to view your ‘summary care record’. This is an electronic record of key information created from your GP records. This is made available to health professionals involved in your care and as a minimum includes your: name; address; date of birth; NHS number; any allergies and current medication.

Apart from the summary care record, other NHS organisations involved in your care may share information with us to help us care for you.

We are involved in research initiatives that involve patient information from other NHS trusts. If you are not a patient of Imperial College Healthcare NHS Trust, we will not receive your identity or contact details unless you have consented to this or there is legal justification for us to be provided with this information.

How is my information handled safely?

We have a legal duty keep your information secure. Our staff undertake annual training about information security and we have regular audits and independent reviews to make sure that we do keep your information safe.

We use other organisations to help us process your information. We make sure these organisations also comply with their legal obligations to keep your information secure, including when they are based outside of the UK. These organisations can only use your information in the way that we have instructed and they will never sell your personal information for profit.

How long do you keep my information?

The Trust complies with the Information Governance Alliance: ‘Records Management Code of Practice for Health and Social Care 2016.’ We will retain your information for as long as necessary to provide you with safe and effective care.

We will set a retention period for our research partners and any organisations that help us to provide your care. They must delete or return your information as soon as the purpose for which it was provided is fulfilled.

Records of financial transactions will be held for a minimum of six years. The retention period for debtor records is contingent on their being cleared. Once cleared, such records will be retained for a minimum of two years.

What are my rights regarding my information?

  • You have the right to know how we are using your information.
  • You have the right to request a copy of the information we hold about you – on paper or electronically. This is called a ‘subject access request’ and we will provide you with this information within one month in most cases. Because of the amount of information we hold about you, it would greatly help our staff if your request was as specific as possible. If you make multiple requests for paper copies, we may charge you a small fee for postage and packaging.
  • If the information we hold about you is incorrect you have the right to have this corrected.

More information and contacts

Imperial Private Healthcare is a constituent body of Imperial College Healthcare NHS Trust.

Our Data Protection Officer is Philip Robinson, you can contact him at:

8th Floor Salton House, ICT Division, St Mary’s Hospital, Praed St, London W2 1NY
Email: imperial.dpo@nhs.net Telephone: 020 370 48355

If you want to access the information that we hold about you, please email: imperial.accesstohealthrecords@nhs.net

Imperial College Healthcare NHS Trust is a registered data controller under the Information Commissioner’s Office.

You can contact the Information Commissioner’s Office at:
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: www.ico.org.uk/concerns Telephone: 0303 123 1113

The Trust is registered as a data controller under the registration number Z1152836.