This policy sets out how, in our day to day activities, The University College London Hospitals NHS Foundation Trust (UCLH) processes and stores personal information relating to our patients and users of our websites.


To fulfil obligations to deliver diagnosis, treatment, research, education and our community services we collect and process personal information.  In so doing UCLH adheres to the requirements of all applicable legislation including the General Data Protection Regulation (GDPR) and applies those requirements to any personal information we hold that relates to you.

We aim to be clear about when and how we collect your information and will not to do anything with it you would not reasonably expect or which we have not made you aware.  Please read this policy carefully to understand how we collect, use and store your information.

Contacting us

UCLH is a data controller in respect of your personal information. If you have any questions about this policy or the ways in which we may process your personal information, please contact us:

Data Protection Officer
2nd Floor
Maple House
Tottenham Court Road

What personal information do we collect?

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – keep records about you,  your health and any care and treatment you are offered or receive.  This may include:

  1. Name, address, date of birth, phone number, and email address (where you have provided it to enable us to communicate with you)
  2. Your next of kin and contact details
  3. Notes and reports about your physical or mental health and any treatment, care or support you need and receive
  4. Results of your tests and diagnosis, including medical imaging
  5. Relevant information from other professionals, relatives or those who care for you or know you well
  6. Any contacts you have with us such as home visits or outpatient appointments
  7. Information on medicines, side effects and allergies
  8. Patient experience feedback and treatment outcome information you provide.

Most of your records are electronic and are held on a computer system and secure IT network. New models of service delivery are being implemented, with closer working with GPs and other healthcare and social care providers.  To assist this, other electronic patient record systems to share your information will be used.  At the relevant point you will be given the opportunity to say no and to opt-out of having your information held on these systems. Should you choose to opt-in, please note that at any point afterwards you can change your mind and opt-out by informing your GP and / or relevant health professional involved in your care.

Our website

When you visit our website, you may provide us with personal information such as:

  1. Your name
  2. Your contact details
  3. Your date of birth
  4. Your gender
  5. Your credit/debit card details
  6. Your job title
  7. Your employment history
  8. Information on your usage of our website

Here are some examples of when you can provide us with personal information on this website:

  1. When contacting us with an enquiry either via webform or email link
  2. When signing up to a newsletter
  3. When purchasing an event ticket
  4. When giving feedback
  5. When filling out a form
  6. When you apply for a job with us. Our human resources department will update you on progress of your application. Please note that UCLH retains evidence of a staff member’s right to work, security documentation and a successful candidate’s application form for six years after the staff member leaves or on their 75th birthday, whichever is sooner. However there is no legislation which prescribes how long to retain information relating to unsuccessful candidates. The UCLH approach is therefore to retain this information for 400 days after the interview date for unsuccessful candidates.

Sensitive data

Data protection law recognises the difference between personal data and that of a more sensitive nature such as racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.

GDPR adds a special data category of genetic data and biometric data that is processed to uniquely identify an individual.

As a healthcare organisation, UCLH will therefore collect sensitive data as defined above. For example:

  1. When submitting a referral request
  2. When submitting your story to be considered as case study

However we do not solely collect healthcare information. Other information will include religious information, for example to make us aware of dietary requirements or limits to treatment, or philosophical beliefs, for example for patients who are vegan and therefore have requirements regarding particular medicines.

Every day we are working to ensure that our staff provide inclusive services to all patients, which meet their needs and are delivered with kindness, dignity and respect, irrespective of any equality characteristic such as gender, race, religion or disability status. We also want to ensure that all our staff are treated similarly with kindness, dignity and respect.  Staff and patient surveys are a key mechanism in helping us achieve this as we carefully consider their experiences and feedback to help shape our policies and culture. An equality monitoring form is also sent with all complaint acknowledgements to advise the Trust on this important area. As such, we gather, analyse, report and monitor our workforce and patients equality data by protected characteristics.

Why do we collect and how do we use your information?

We will process your personal information fairly and lawfully by only using it if we have a lawful reason to do so. Making you aware of your rights and how your information is used is important to us and therefore we have summarised this below.

However, please note that we do not rely on consent as a legal basis for processing information that concerns your direct care.  This is because we are obliged by law to make use of your personal information and record the care and treatment we provide to you.  This is also necessary to allow us to provide you with safe and effective care.  It would not be correct to say that you have a choice as to whether or not we will use your personal information if we are going to provide you with care and treatment.  For this reason, instead of consent, we rely on specific provisions under the law, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’

This means we use your personal information to provide you with your direct care without seeking your consent. However, you do have the right to object to our use of your information.  We will consider your objection but if we comply with your wishes we will explain how this could have an impact on our ability to provide you with care.

While most of the information we process will be for direct healthcare purposes, please note that there are other important reasons that we may need to process your personal information. For example:

  1. For private care patients we will need to process your data for the administration and obtaining payment for services provided
  2. To conduct clinical research (although any published data is anonymised)

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and / or within our legitimate interests.

We will only use enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care.

We will keep your information accurate and up to date when using it and if it is found to be wrong, we will make it right, where appropriate, as soon as we can.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.  In addition, all records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care 2016 (the Code). The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

Details of retention periods for different aspects of your personal information are (available in our retention policy which you can request from us by contacting us).

In some circumstances we may anonymise and de-identify your personal information (so that it can no longer be associated with you) for research or statistical purposes. In these circumstances we may use this information indefinitely without further notice to you.

We have secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a legitimate need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.


Information sharing and disclosure

Your personal information will be shared with the team who are caring for you and are providing your treatment.

NHS and other agencies, including social services and private healthcare organisations work together so we may need to share information about you, with other professionals and services involved in your care. We will only share your information in this way if it is considered necessary.

You have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional involved in your care who can seek advice from our Information Governance department.  If you want to withdraw your consent to us sharing your information and this is likely to change the way you receive further care we will explain this to you so that you can make a fully informed choice.

A person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies.  In these rare circumstances we are not required to have your consent and rely on other lawful grounds to process the data for example, our legitimate interests for the purposes of improving our services and website in order to run our organisation effectively and efficiently. We may also process data where it is necessary for the performance of a contract, for example for private patients we need to process billing information.

Other examples of this are:

  1. If there is a concern that you are putting yourself at risk of serious harm
  2. If there is concern that you are putting another person at risk of serious harm
  3. If there is concern that you are putting a child at risk of harm
  4. If we have been instructed to do so by a court
  5. Immigration authorities / relevant third parties requiring information to obtain payment for services provided to overseas visitors
  6. If the information is essential for the investigation of a serious crime
  7. If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
  8. If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
  9. If regulators use their legal powers to require us to provide them with patient information as part of any investigations they are undertaking.

NHS Patient Survey Programme (NPSP) is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services.  We may share your contact information with an NHS approved contractor to be used for the purpose of the NPSP. Please note that no information about your care and treatment is provided to the organisation that does this survey.

NHS Digital, on behalf of NHS England, assesses the effectiveness of the care provided by publicly-funded services.  We have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations.

You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way. For information about how you can opt-out of sharing your data with NHS Digital please click on this link.

Your rights

You have certain rights over your personal information. These include the right to access a copy of your personal information or have some elements of it transmitted to you or another health provider in a common electronic format. In certain circumstances you can have your personal information corrected or erased, or you can restrict our use of it. You also have the right to object to the way we use your personal information as described above.

We generally won’t charge you to exercise these rights. You have the following rights:


You have a right to ask UCLH if we have your personal information. If we do, you have a right to know:

  1. why we have it
  2. what type of information we possess
  3. whether we have or will send it to others, especially outside the European Economic Area
  4. how long we will keep it
  5. where we got it from
  6. details of any automated decision-making

If you want, you can ask for a copy of your information.


Where any of your information is incorrect, you have a right to tell us to correct it promptly. Please tell us as quickly as possible if you change your address or other contact details. If your information is incomplete, you can ask us to correct this too.

In certain circumstances, you’ll have the following extra rights:

Right to object

Depending on the legal basis on which we are using your information, you may be entitled to object.

Erasure (right to be forgotten)

You may have a right to have some or all of the information we hold about you deleted. However you should be aware that, as a NHS trust, we are required to retain many records even after you close your file.


In certain circumstances you are may be entitled to receive some of your information from us electronically. We can either pass the information to you or to another person or organisation if you want.


You might also be entitled to ask us to restrict our use of your information — for example, if you think the information we hold on you is incorrect.

Withdrawing consent

If you consent to us using your information, you have the right to withdraw that consent at any time.

You can do this by contacting the Data Rights team:

UCLH Archivist and Records Manager

ICT Directorate

2nd floor A, Maple House

149 Tottenham Court Road



We aim to work with you on any request, complaint or question you have about your personal information. However, if you believe we have not adequately resolved a matter, you have the right, at any time, to complain to the Information Commissioner’s Officer (ICO).

As an independent UK authority, the ICO upholds information rights in the public interest, promotes openness by public bodies and data privacy for individuals. You can visit their website at or ask for details from our Data Rights team.