Privacy notice

The Royal Free London as a controller  

In the National Health Service (NHS), we aim to provide you with the highest quality healthcare. To do this we must keep information about you, your health and the care we have provided to you or that we plan to provide to you. 

The Royal Free London is a controller for the information we hold about you under the United Kingdom General Data Protection Regulation (UK GDPR). We are not the controller for all the personal information in the NHS, only the information we hold. You should visit other NHS organisations websites who have treated you for details on the information they hold. 

Our legal name is the Royal Free London NHS Foundation Trust. Our registration number with the Information Commissioner’s Office (ICO) is Z6460180. 

Controllers make decisions about processing activities. They exercise overall control of the personal information being processed and are ultimately in charge of, and responsible for the processing. Process and processing means any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organisation, storage, updating or modification, retrieval, use, sharing, consolidation, blocking, erasure or destruction of data. 


Why we collect your personal information 

The main reason we collect information about you is for your direct care and treatment to ensure safe and high-quality care for all our patients. We also collect and use information for other purposes such as research. Detailed information on our purposes, and your rights can be found in the links at the end of this notice. 

What type of personal information do we collect 

To be able to provide you with care and for our other purposes we need to collect information about you. This includes: 

  • name 
  • address 
  • date of birth 
  • NHS number 
  • next of kin 
  • diagnosis 
  • treatment 
  • hospital visits 
  • allergies 
  • health conditions 

The trust also records CCTV images for the prevention and detection of crime; this may include body worn video and audio recordings. 

Why we collect information about you 

The people who care for you use your information and records to: 

  • provide a good basis for all health decisions made by you and your care professionals 
  • make sure your care is safe and effective 
  • work effectively with other organisations providing you with care 
  • research  
  • to comply with legal obligations 

Others in the NHS may also need to use records about you  

Sometimes we need to share your information with other organisations to:  

  • check the quality of care (called clinical audit) 
  • collect data regarding public health matters 
  • ensure NHS funding is being allocated appropriately 
  • help investigate any concerns or complaints you may have about your health care 
  • teach healthcare workers and help with research and planning 

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed. 

How long do we hold information for? 

We will keep your personal data in line with the retention periods detailed in the NHS retention schedule

Information sharing with non-NHS organisations 

For your benefit we may need to share information from your health records with non-NHS organisations from whom you are also receiving direct care, such as social services or private healthcare organisations.  

We may also need to share your information, such as blood test results, for direct care processing purposes by a non-NHS organisation under an agreement with the trust. We will always seek your permission to share your information with organisations for purposes other than your direct care. However, in exceptional situations we may need to share information without your permission if: 

  • it is in the public interest — for example, there is a risk of death or serious harm 
  • there is a legal need to share it — for example, to protect a child 
  • a court order tells us that we must share it 
  • there is a legitimate enquiry from the police 

What are your rights? 

You have rights regarding your information, these rights vary depending on our reason for using use personal information. 

Your data protection rights are: 

  • Right of access — you have the right to ask us for copies of your personal information.  
  • Right to rectification — you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.  
  • Right to erasure — you have the right to ask us to erase your personal information in certain circumstances.  
  • Right to restriction of processing — you have the right to ask us to restrict the processing of your personal information in certain circumstances.  
  • Right to object to processing — you have the right to object to the processing of your personal information in certain circumstances. 
  • Right to data portability — you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances. 

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. See our contact details below. Not every right applies all of the time. Explanations on your rights can be found in the detailed privacy notices below. 

Watch our video on how we use your information 

Data Protection Officer  

As a public authority the Royal Free London must appoint a Data Protection Officer (DPO). The DPO’s tasks defined in law and are: 

  • to inform and advise the trust and its employees about obligations to comply with the UK GDPR and other data protection laws; 
  • to monitor the trust’s compliance with the UK GDPR and other data protection laws, and data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits; 
  • to advise on, and to monitor, data protection impact assessments; 
  • to cooperate with the ICO; and 
  • to be the first point of contact for the ICO and for individuals whose data is processed (employees, patients etc). 

The trust’s Data Protection Officer is Kevin Winter, Director of Information Governance.  

How to contact us 

Please contact us if you have any questions about our privacy notice or the information we hold about you. 

Information Governance Team 

Information Governance Team 
Royal Free London NHS Foundation Trust 
Anne Bryans House
77 Fleet Road 
NW3 2QH 


Data Protection Officer 

Post :
Data Protection Officer 
Royal Free London NHS Foundation Trust 
Anne Bryans House  
77 Fleet Road 
NW3 2QH 


How to complain 

If you have any concerns about our use of your personal information, you can make a complaint to us at See further information on making a complaint.  

You can also complain to the Information Commissioner’s Office who is the independent UK regulator for data protection. 

Information Commissioner’s Office 
Wycliffe House
Water Lane
SK9 5AF 

Helpline number: 0303 123 1113 

ICO website:

Accessing your information 

You have the right to access the information we hold about you. You can access some information, such as information from your hospital record, hospital appointments, test results and messages from the My RFL Care patient portal. You can find out more information on how to do this here. To access any other personal information we hold, please see our guidance on health records or contact the access team at

Detailed notices