Private patients privacy notice


Direct care is a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering. It includes supporting your ability to function and improve participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team who have a legitimate relationship for your care.  

Direct Care is care delivered to you if you are a private patient, most of which is provided through the Private Patients unit and at the trust's main hospitals. After you agree to a referral for care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about you, your circumstances and health will need to be shared with the other healthcare workers, such as a specialist or therapist. The information that is shared is to enable the other healthcare workers to provide you the most appropriate advice, investigations, treatments, therapies and care.   

Where you receive treatment under the NHS, for example as an inpatient of the trust, or other NHS funded care please also see our other privacy notices

Information we collect  

To meet our stated purpose, we must collect information about you. We will not always collect all the categories of data, but only what is relevant to your care and treatment as a private patient. This could include who you are, where you live, your occupation, your family, your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other health settings, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and notes reasonably made by healthcare professionals in the trust who are appropriately involved in your health care. Will may also collect financial information relating to cost of treatment, health insurance, and banking information for payment purposes.  

Where you give us permission, we will access the Health Information Exchange (HIE). HIE integrates data from those multiple electronic health and care systems to provide a real-time and read-only summary of that data to a health or social care professional when required for the purpose of your direct care. If you are unable to give us permission because for example you are unconscious, we will assess whether under the circumstances it is reasonable and in your best interest to access your HIE record.  

Where you are brought in by ambulance we will receive information from the ambulance trust about their observation and treatment of you.  

Our lawful basis  

In order to legally be able to process your personal data, we must have a lawful basis under the United Kingdom General Data Protection Regulation. Our lawful basis for the purpose of processing data in our stated purpose is:  


Article 6(1)(f) “Processing shall be lawful only if and to the extent that at least one of the following applies: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” 

These legitimate interests are to provide you with healthcare services as a private patient  

Article 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law.  

By processing your health data, we will also recognise your rights established under English case law, collectively known as the “Common Law Duty of Confidentiality”. This means that we only use your personal data in ways that would reasonably be expected, including where we share your information with your consent or where we can reasonably expect that you would consent in order to provide you with care or for reasons of substantial public interest, for example, the prevention and detection of crime.    

Who we share your information with  

We share a summary of your treatment with you GP, unless you ask us not to. When you ask us not to share information with your GP, we will consider whether there is a significant risk to you or others before deciding whether to agree.  

Other times we may share your information:  

  • Where you agree to be referred to other healthcare providers, we will share only the necessary and relevant information with that healthcare provider in order for them to treat you.  
  • We may share information with your local authority to support you in arranging social care support.  
  • Further specific details of who we share your personal data with, for example because of a specific legal obligation, are detailed in this privacy notice.   

Our processors  

Processors are organisations who act on our behalf and under our authority. They carry out some of the technical processes, for example, providing a system that stores information. We do not allow our Processors to use your information for their own purposes or allow them to link this to other personal data they may.  

The category of our processors are organisations who:  

  • provide our IT systems 
  • provide some of our medical devices
  • dispose of confidential waste (paper records, laptops or other IT equipment)
  • provide some of our clinical services under contract with us.  

How long will we keep your data  

We will keep your personal data in line with the retention periods detailed in the NHS retention schedule.   

Your rights  

Data protection laws give you a number of rights over your personal data. These rights are detailed below.  

The right to be informed  

The trust is required by law to provide you with information about how it collects and uses your personal data. The trust, by way of this privacy notice is providing you with this information.  

The right of access  

You have the right to access the information we hold about you. You can access some information, such as information from your hospital record, hospital appointments, test results and messages from My RFL Care patient portal. You can find out more information on how to do this here. To access any other personal information we hold, please see our guidance on health records or contact the access team at   

The right to rectification  

You have the right to have inaccurate information about you corrected or incomplete information completed. This is not that same as disagreeing with a clinical observation or opinion and asking for this to be changed. If you disagree with a clinical opinion you should discuss this with the team who’s care you are under. To update your basic contact details or address, please contact the patient advice and liaison (PALS) team.  

To request any other inaccurate information corrected please contact  

The right to erasure  

The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances.  

This is limited to:  

  • Where we still hold your personal data, but it is no longer necessary for the purpose for which we originally collected or processed it; or,  
  • We have to erase it to comply with a legal obligation.  

To exercise this right, please contact  

The right to restrict processing  

You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way we use your data. This is an alternative to requesting the erasure of your data. The right is not absolute and only applies in certain circumstances.  

This is limited to:   

  • Where you contest the accuracy of your personal data and we are verifying the accuracy; or,  
  • We no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim.  

To exercise this right, please contact  

The right to data portability  

The right to data portability does not apply to the processing of your personal data for this purpose.  

The right to object  

You have the right to object to the processing of your personal data at any time. This effectively allows you to stop or prevent us from processing your personal data.  

An objection may be in relation to all of the personal data we hold about you or only to specific information.   

The right to object only applies in certain circumstances. You must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation.  

In these circumstances, your right to object is not an absolute right, and we do not need to comply if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms. To exercise this right, please contact  

Rights in relation to automated decision making and profiling  

The trust’s clinical staff use tools to help assist in you diagnoses and treatment; However, the results are always reviewed and interpreted by an appropriately trained clinician who will have the final say in your diagnoses and treatment. The trust does not make any solely automated decisions about you.