Privacy notice
The Royal Free London as a controller
In the National Health Service (NHS), we aim to provide you with the highest quality healthcare. To do this we must keep information about you, your health and the care we have provided to you or that we plan to provide to you.
The Royal Free London is a controller for the information we hold about you under the United Kingdom General Data Protection Regulation (UK GDPR). We are not the controller for all the personal information in the NHS, only the information we hold. You should visit other NHS organisations websites who have treated you for details on the information they hold.
Our legal name is the Royal Free London NHS Foundation Trust. Our registration number with the Information Commissioner’s Office (ICO) is Z6460180.
Controllers make decisions about processing activities. They exercise overall control of the personal information being processed and are ultimately in charge of, and responsible for the processing. Process and processing means any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organisation, storage, updating or modification, retrieval, use, sharing, consolidation, blocking, erasure or destruction of data.
General
Why we collect your personal information
The main reason we collect information about you is for your direct care and treatment to ensure safe and high-quality care for all our patients. We also collect and use information for other purposes such as research. Detailed information on our purposes, and your rights can be found in the links at the end of this notice.
What type of personal information do we collect
To be able to provide you with care and for our other purposes we need to collect information about you. This includes:
- name
- address
- date of birth
- NHS number
- next of kin
- diagnosis
- treatment
- hospital visits
- allergies
- health conditions
The trust also records CCTV images for the prevention and detection of crime; this may include body worn video and audio recordings.
Why we collect information about you
The people who care for you use your information and records to:
- provide a good basis for all health decisions made by you and your care professionals
- make sure your care is safe and effective
- work effectively with other organisations providing you with care
- research
- to comply with legal obligations
Others in the NHS may also need to use records about you
Sometimes we need to share your information with other organisations to:
- check the quality of care (called clinical audit)
- collect data regarding public health matters
- ensure NHS funding is being allocated appropriately
- help investigate any concerns or complaints you may have about your health care
- teach healthcare workers and help with research and planning
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
How long do we hold information for?
We will keep your personal data in line with the retention periods detailed in the NHS retention schedule.
Information sharing with non-NHS organisations
For your benefit we may need to share information from your health records with non-NHS organisations from whom you are also receiving direct care, such as social services or private healthcare organisations.
We may also need to share your information, such as blood test results, for direct care processing purposes by a non-NHS organisation under an agreement with the trust. We will always seek your permission to share your information with organisations for purposes other than your direct care. However, in exceptional situations we may need to share information without your permission if:
- it is in the public interest — for example, there is a risk of death or serious harm
- there is a legal need to share it — for example, to protect a child
- a court order tells us that we must share it
- there is a legitimate enquiry from the police
What are your rights?
You have rights regarding your information, these rights vary depending on our reason for using use personal information.
Your data protection rights are:
- Right of access — you have the right to ask us for copies of your personal information.
- Right to rectification — you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Right to erasure — you have the right to ask us to erase your personal information in certain circumstances.
- Right to restriction of processing — you have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Right to object to processing — you have the right to object to the processing of your personal information in certain circumstances.
- Right to data portability — you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. See our contact details below. Not every right applies all of the time. Explanations on your rights can be found in the detailed privacy notices below.
Watch our video on how we use your information
Data Protection Officer
As a public authority the Royal Free London must appoint a Data Protection Officer (DPO). The DPO’s tasks defined in law and are:
- to inform and advise the trust and its employees about obligations to comply with the UK GDPR and other data protection laws;
- to monitor the trust’s compliance with the UK GDPR and other data protection laws, and data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
- to advise on, and to monitor, data protection impact assessments;
- to cooperate with the ICO; and
- to be the first point of contact for the ICO and for individuals whose data is processed (employees, patients etc).
The trust’s Data Protection Officer is Kevin Winter, Director of Information Governance.
How to contact us
Please contact us if you have any questions about our privacy notice or the information we hold about you.
Information Governance Team
Post:
Information Governance Team
Royal Free London NHS Foundation Trust
Anne Bryans House
77 Fleet Road
London
NW3 2QH
Email:
rf-tr.informationgovernance@nhs.net
Data Protection Officer
Post :
Data Protection Officer
Royal Free London NHS Foundation Trust
Anne Bryans House
77 Fleet Road
London
NW3 2QH
Email:
rf-tr.rfldpo@nhs.net
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at rf.complaints@nhs.net. See further information on making a complaint.
You can also complain to the Information Commissioner’s Office who is the independent UK regulator for data protection.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://ico.org.uk/
Accessing your information
You have the right to access the information we hold about you. You can access some information, such as information from your hospital record, hospital appointments, test results and messages from the My RFL Care patient portal. You can find out more information on how to do this here. To access any other personal information we hold, please see our guidance on health records or contact the access team at rf-tr.AccessRequests@nhs.net