A Privacy Notice is a statement that explains how the Royal National Orthopaedic Hospital NHS Trust (“RNOH” or “Trust”) collects, uses, stores, and shares personal and confidential information about patients, service users, and visitors.

Different organisations may refer to a Privacy Notice using terms such as privacy statement, fair processing notice or privacy policy.

The RNOH is a specialist acute tertiary hospital, providing advanced orthopaedic healthcare to patients from both the UK and worldwide.

What is a tertiary hospital?

A tertiary hospital delivers highly specialised medical services for complex or rare conditions, often requiring expert teams, advanced treatments, and specialist equipment. This level of care is beyond what is typically available at primary or secondary healthcare facilities.

As a tertiary hospital, RNOH does not provide emergency services such as Accident & Emergency (A&E) or maternity care. Instead, it focuses on the diagnosis, treatment, and rehabilitation of complex musculoskeletal disorders requiring specialist expertise.

Vision

RNOH aims to provide world-leading neuro musculoskeletal (MSK) healthcare to adults and children.

Our vision is to be the UKs number one MSK healthcare provider with the best patient care and staff experience.

Everything the Trust does is underpinned by our four core values:

  • Patients first, always;
  • Excellence, in all we do;
  • Trust, honesty & respect, for each other;
  • Equality, for all.

Oversight and Regulation

RNOH is monitored by a range of national bodies, including NHS England, the Information Commissioner’s Office (ICO), the Care Quality Commission (CQC), the Department of Health and Social Care (DHSC), and NHS Improvement.

Clinical staff are also regulated by their professional bodies such as the General Medical Council (GMC), the Health and Care Professional Council (HCPC) and the Nursing and Midwifery Council (NMC), to maintain high standards of care.

The Trust has issued this Privacy Notice to demonstrate its commitment to openness and accountability, and the responsible handling of personal and confidential information. We recognise the importance of protecting the data entrusted to us and are dedicated to managing it lawfully, fairly, and transparently in all that we do. This Privacy Notice outlines how the Trust complies with its legal, professional, and ethical responsibilities for information governance. We are committed to ensuring that personal data is used appropriately and safeguarded in accordance with the following key legislation, regulations, and standards:

  • Data Protection Act 2018 (DPA 2018)
  • Data Security & Protection Toolkit / Cyber Essential Standards
  • UK General Data Protection Regulations 2021 (UK GDPR)
  • Human Rights Act 1998
  • Access to Health Records Act 1990
  • Freedom of Information Act (FOIA) 2000
  • Health and Social Care Act 2012
  • National Health Service Act 2006 (including Section 251 provisions)
  • Mental Capacity Act 2005
  • Equality Act 2010
  • Public Records Act 1958
  • Re-Use of Public Sector Information Regulations 2015
  • Computer Misuse Act 1990
  • Common Law Duty of Confidentiality
  • NHS Care Records Guarantee for England
  • Social Care Records Guarantee for England
  • Records Management Code of Practice for Health and Social Care 2021
  • Accessible Information Standard (NHS England, 2025)

Your information could be collected in a number of ways by us. This might be via a referral from your GP or by another healthcare professional you have seen. Perhaps information may have been provided directly through you to us from a private health insurance company or by a third party funding your treatment. Information may have been collected over the telephone or by a form that you have completed.

As a healthcare provider, the RNOH may therefore collect sensitive data in the following examples of situations:

  • When submitting or receiving a referral request
  • During your appointments or consultations with teams’ delivery your care
  • When carrying our diagnostic testing, or other treatments
  • When consenting to be a part of any research work carried out by the Trust

There may also be times when information is collected from another NHS Trusts Emergency Department (A&E) where you may have been unconscious or unable to communicate. In such cases, information may be collected from your relatives or from your next of kin. Please take a minute to read the section on Next of Kin (NOK).

Most healthcare professionals who are involved in delivering your care will keep a record of your information, including details about your health and treatment. The information that we collect about you may include details such as:

  • Name, address, telephone, email, date of birth and next of kin contact details
  • Financial details for self-paying patients
  • Details we have had from you during your attendance of appointments
  • Details and records of treatment and care, notes and reports about your health, including any medicines, allergies or health conditions
  • Results of diagnostic tests including X-rays, scans, blood tests, etc.
  • Other relevant information collected from people who care for you and who know you well, such as health professionals, relatives and carers

The GDPR sets out ‘special categories’ of personal information which are subject to additional considerations and protection, beyond the general requirements for processing personal data.  These specific categories include:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Sex life or Sexual Orientation

The Trust will always obtain your explicit consent to the processing of such data, unless this is not required by law or the information is required to protect your health in an emergency. Where the Trust processes data with your consent, you have the right to withdraw that consent at any time. An example of why we would collect ethnic, religious or philosophical information would be for dietary requirements, or to make us aware of restrictions to the use of specific medicines.   

The Trust collects personal and sensitive information about you to support the delivery of your appropriate healthcare and treatment. In order to provide you with the best patient care, the Trust must keep accurate and up to date records about you, your health and the care that we provide, or plan to provide to you. It is important for the Trust to hold the correct information, as this helps us plan, and ensure we provide the right care to meet your individual needs. While most of the information we collect and process will be relating to healthcare, there may be other reasons why we may need to collect and process personal information. Such examples may include clinical research to improve patient outcomes (any research data published would be anonymised (unidentifiable)), or for administrative purposes.

When you are admitted, you may nominate a Next of Kin (NoK). This is someone you trust to support you if in the event you cannot make decisions or communicate with the medical team providing your care. Your NoK can offer guidance but does not have legal authority over your care unless certain legal arrangements are made. This can include being appointed as a Lasting Power of Attorney (LPA).

Lasting Power of Attorney (LPA): 

  • This allows a person (the patient) to appoint someone (the attorney) to make health and welfare decisions on their behalf if they become unable to do so.
  • The LPA only comes into effect once the individual is deemed incapable of making their own decisions.

Key Points:

  • The NoK’s contact details are kept confidential and used only to communicate about your care when necessary, or if the event of an emergency.
  • The NoK does not have automatic access to your medical, or personal information unless you consent, or they have legal authority to do so.
  • You are not required to nominate a NoK but can do so at any time.
  • Updates or changes to your nominated NoK must be requested by you, the patient.
  • The NoK has rights over their own personal data held by the hospital, including the right to access and correct their contact details.
  • If you have an LPA, please inform the hospital separately as this role has different legal rights.
  • For patients under the age of 18, the NoK is usually someone who holds parental responsibility, or is a legal guardian.

NoK details cannot be removed under your Data Protection rights of ‘right to be forgotten’. This will only be deleted if the patient requests it.

For more helpful information relating to NoK, please refer to our patient leaflet here:

For changes or removal requests, contact: rnoh.pals@nhs.net.

As a healthcare provider, we use your information to provide you with direct care without the need to rely on ‘Consent’ as a legal basis for processing information. Under Data Protection Laws, we ensure that the information processed, is done so in a fair and lawful manner, and only for the purposes it was collected for. Should we consider that the information needs to be processed for another reason other than to provide you with direct care, we will ensure that the reasons are compatible with the original purpose, and in accordance with one of the valid lawful basis provided for processing information under UK Law. An example of this would be to use your information for clinical research purposes, or to improve future patient outcomes.

We will only collect and use the personal information that is necessary to provide your care and support. We are committed to keeping your information accurate and up to date; if you notice any errors, please let us know so we can correct them promptly. We also ask that you inform us of any changes to your information to ensure it remains current, such as a change in address or contact details. Your personal data will only be retained for as long as needed to fulfil the purpose it was collected for, including meeting any legal, regulatory, or reporting requirements. Please see our section below for further information on how long the Trust keeps information about you.

 

 

Surveillance cameras have become part of modern life and is an expected feature in public buildings and areas, or spaces to which the public have largely unrestricted access. Surveillance cameras can is used to monitor a wide variety of locations and aid the deterrence of crime and other incidents. The primary purpose of surveillance cameras at RNOH Trust is to protect patients, visitors, staff and Trust property, by providing a visible deterrent and culture coherent with surveillance camera operations and by providing recorded images for later analysis with the option of active monitoring. All surveillance is carried out by the Trust is line with GDPR, the CCTV Code of Practice 2018, and the Surveillance Camera Code of Practice 2013.

Non-evidentiary content (content with no value) will remain on the server for a period of 31 days when it will then be deleted.

The Trust operates a text messaging reminder facility for certain services. You can opt in to this service by confirming your contact details, including your mobile telephone number during your next visit to the hospital. Text messages will then be sent to the mobile telephone number you have provided us with. 

Please note that if the mobile telephone number you provide us with is not your own, we cannot be held responsible if someone else reads the text message sent to this number about you.

The text messaging reminder facility can be removed at any time by you. This will not affect our use of contacting you when making calls to your mobile telephone number.

When collecting or transferring sensitive information such as your health and/or personal details, we use a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure.

However, any information we receive from you via web-based email systems and any response we might transmit via email in return, cannot be guaranteed to be completely protected from access by unauthorised persons. This is because the World Wide Web is beyond our control. It is also the case that we cannot guarantee who has access to an individual’s emails within any home, office or public setting.

If we receive an email from you via a web-based email system, we will assume that you have provided your consent for us to respond to that email address and that you have taken into account the issues raised above. Please make it clear in your email if you do not wish for us to directly reply to you. This may apply in situations where if you have shared email accounts with others, or shared responsibilities.

The GDPR and Data Protection Act has strict principles governing our use of information and our duty to ensure that it is kept safe and secure. Your information may be stored using electronic or paper records, or a combination of both. All our records are restricted so that only authorised individuals have access to them. Restricted access might be through the use of technology or other environmental safeguards. An example would be authorised staff using Trust issued ID cards to access secure areas of the Trust.

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you have provided to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you, or there are other circumstances which require us to have your information.

Under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you about how your information will be used, and allow you to decide if and how your information can be shared, and with whom.

Every NHS organisation has a senior person that is responsible for protecting the confidentiality of your information and enabling appropriate sharing. This person is known as the Caldicott Guardian and, within a Trust, this role sits within the Medical Directorate.

To help provide you with the best possible care, sometimes the Trust will need to share your information with others. However, any sharing of information will always be governed by specific rules and laws. We may share your information with a range of health and social care organisations for a specific reason and we will have a duty to tell you why they will be contacting you.

The Trust works, and partners with a number of other NHS organisations and independent treatment centres and clinics to provide you with the best possible care. To support this, your information may be shared with them on a secure basis.

For your benefit, we may also need to share some of your information with authorised non-NHS authorities and organisations which are involved in your care. This might include organisations such as local councils, social services, education services, the police, voluntary and private sector providers, private healthcare companies, third party, and embassy sponsors. In such circumstances where we are required to use your personal information, we will only do this if:

  • the information is necessary for your direct healthcare
  • we have received written consent from you to use your information for a specific purpose, e.g. concern/complaint raised by your representative on your behalf
  • there is an overriding public interest in using the information, e.g. in order to safeguard an individual or to prevent a serious crime
  • there is a legal requirement that will allow us to use or provide information, e.g. a formal Court Order or summons
  • we have permission to do so from the Secretary of State for Health to use certain confidential patient information when it is necessary for our work
  • emergency planning reasons such as protection of the health and safety of others. Typically, these relate to severe weather outbreaks of diseases, e.g. seasonal flu, major transport incidents, and terrorism.

Where sharing information involves a non-NHS organisation, a specific information data sharing agreement will be put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.

Unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, we will not disclose any information to third parties which can be used to identify you without your consent.

The Trust at times may outsource a limited number of administration and IT support services to external organisations. These companies are based within the European Economic Area and all services are provided under specific contractual terms which are compliant with legislation.

Only organisations which have a legitimate requirement to have access to your information will be allowed to and only whilst adhering to strict controls and rules. The Trust will not sell your information for any purpose and will not provide third parties with your information for the purpose of marketing or sales.


We may share information about the private care you receive with the Private Healthcare Information Network (PHIN), an independent organisation that collects and publishes information on private healthcare providers. This helps private patients make informed choices and supports improvements in the quality, safety, and outcomes of private healthcare services.

Healthcare records are now joined up across north central London to improve the services you receive. 

To help health and care professionals make quicker and safer decisions about your care, wherever they are treating you, healthcare records are now joined up across Barnet, Camden, Enfield, Haringey and Islington (north central London). This is part of the North London Partner’s Health Information Exchange/HealtheIntent project.

HealtheIntent is a digital platform which allows health and care professionals in north central London to provide more proactive care to residents and communities.

It links together health and care information about residents in north central London from different providers giving a more complete picture of the health and care needs of individuals and groups. This helps professionals identify health and care needs, gap in care or inequalities in outcomes for the populations they serve.

 

Health and care professionals have shared information on paper for many years – we are now able to do this using digital technology.

When you visit one of our hospitals or your GP, your healthcare worker will have all the information to hand to treat you effectively and efficiently. You won’t need to relay the full story of your symptoms, what happened or the medicines you were prescribed, as this will be already accessible from your notes.

Information will be available in real time – or in some cases within 24 hours – and will ensure your health and care teams have the most up to date information about your care. 

Under GDPR regulations, information will only be shared and accessed on a strictly need to know basis by health and care professionals across the five borough of Barnet, Camden, Enfield, Haringey and Islington and only for the purposes of direct care. Data will always be securely held.

 

For people using health and care services, there are many advantages to having joined-up records including:

  • Everyone involved in your direct care will have the whole picture
  • When you visit somewhere different for care or meet a new care professional, they will have access to your health and care information and you won’t need to repeat your story
  • The results of common tests (for example blood tests) will be available to everyone involved in your care, regardless of where the test took place, reducing the need to repeat them or obtain printed results

For us and other health and social care professionals:

  • We will have up-to-date information to plan and improve your care and make more informed decisions
  • We will have to spend less time finding out relevant information from different health and social care organisations and IT systems, and won’t have to spend time recording duplicate information across records 
  • We can work as a team across north central London to identify opportunities for improvement, such as seeing if there needs to be more focus on providing physical health checks for people with learning disabilities

Who else is involved?

Other health and care organisations in the North Central London’s sustainability and transformation partnership (NCL STP) such as GP practices and other hospitals/providers across the boroughs of Barnet, Camden, Enfield, Haringey and Enfield. 

Do I have a choice?

Due to the COVID-19 (coronavirus) pandemic and in the public interest all health and care organisations are legally required to share and process data. This is to ensure health and care professionals have access to vital information to make quicker, safer decisions about your care. The national data opt-out does not apply to the disclosure of confidential patient information where there is an overriding public interest in the disclosure. Therefore, the national data opt-out will not apply to data sharing for the purposes of responding to Covid-19.

Sometimes the Trust may be required by law to disclose or report certain information which may include details which identify you. However, this is only done after formal authority is granted by the Courts or by a qualified health professional. Reasons may include to report a serious crime or to identify of an infectious disease that may endanger the safety of others. Where this disclosure is necessary, only the minimum amount of information would be released.

The Trust may also be required to send statutory information to the Department of Health, which is then held centrally and strictly controlled by the NHS Information Authority. This organisation takes advice from an independent board called the Security and Confidentiality Advisory Group, which reports to the Government Chief Medical Officer. There may also be occasions when the Trust is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure that we are operating legally.

Some health records are needed to teach student clinicians about rare cases and rare diseases. Without such material, new doctors and nurses would not be properly trained to treat you and others like you. It is also possible that individuals, such as student nurses, medical students and healthcare cadets are receiving training using such information to care for patients. If staff would like a student to be present whilst treating you, they will always ask for your permission to do so and you have the right to refuse without this affecting the care or treatment that you are receiving.

We also undertake clinical research and audits within the Trust, and your permission may be required for some of this work if we are using your information. If you agree to be involved, a full explanation will be given and your consent will be obtained before proceeding. Your consent may not be required if the information being used has been anonymised. This means that it cannot be used to identify you or any other individual person.

The Trust may use automated decision making (including profiling) in limited circumstances in the future. This will only be used if there it is evidence that it could improve your treatment whilst at the Trust.

You have the right to refuse (or withdraw) consent to your information being shared at any time. This is also referred to as ‘opt-out’. If you choose to prevent your information from being disclosed to other authorised professionals involved in your care, it might mean the care that can be provided to you is limited. It may also mean that it might not be possible to offer you certain treatment options. The possible consequences of withholding your consent will be fully explained to you at the time should this situation occur.

You also have the right to ‘opt-out’ of having your information used in any mandatory audits which the Trust is involved in. If this is the case, you should write to our Information Governance team (using the contact details on the front of this booklet) providing your name, address, date of birth and hospital or NHS number.

 

The Royal National Orthopaedic NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

How do I opt out or find more information?

To find out more or to register your choice to opt out, please visit the Your NHS Data Matters.  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can change your mind about your choice at any time.

Health and care organisations had until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

The Trust complies fully with the national data opt-out and does not use or share information beyond individual care without local patient consent.

Artificial Intelligence (AI) is increasingly used in healthcare to support clinicians in delivering faster, safer, and more effective care. At RNOH, AI technologies may assist with tasks such as analysing scans, supporting remote monitoring, or aiding diagnosis and treatment planning.

Where AI is used to support your care:

  • AI is never used to make decisions on its own. A qualified clinician will always review and discuss any recommendations with you.
  • Your personal data is only used where necessary and always in line with data protection laws.

In some cases, anonymised or pseudonymised data may be used to help improve AI tools for future care. If identifiable data is needed for this purpose, it would require special approval through national processes such as the Health Research Authority’s Confidentiality Advisory Group (CAG).

You have the right to opt out of your data being used beyond your individual care, as explained in the National Data Opt-out section.

At the Royal National Orthopaedic Hospital (RNOH), we are dedicated to safeguarding your privacy and ensuring the confidentiality of your personal health information. As part of our commitment to improving patient care, UCLH (University College London Hospital) will be hosting a shared instance of the Epic Electronic Patient Record (EPR) system that includes both RNOH and UCLH patient records.

The EpicConnect programme enables secure and authorised sharing of your relevant health information between healthcare providers involved in your care. This integration aims to improve coordination, continuity, and safety throughout your treatment and appointments.

Your health data will be processed in accordance with applicable data protection legislation, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Access to your information will be strictly limited to healthcare professionals directly involved in your care, and only for purposes related to your treatment.

The Trust stores your information electronically and in paper form securely.  We use different systems depending on the treatment you are having and these are subject to change:

 

University College London Hospital (UCLH) Hosting RNOH Systems

System

Purpose

EPIC Electronic Patient Record (EPR)

Epic EPR is an electronic patient record system that streamlines the process of managing your health information by centralising all key medical systems in one secure digital platform, accessible only by authorised healthcare staff to support safe and coordinated care.

EpicCare Link

EpicCare Link RNOH is a secure online system that allows healthcare professionals, such as GPs, to access information related to your care at RNOH. This includes details about hospital admissions, outpatient appointments, and test results.

EpicCare Everywhere

EpicCare Everywhere is a digital system that enables RNOH healthcare professionals to securely access and share patients’ medical records with other healthcare providers across different organisations. This helps ensure coordinated and continuous care.

EpicMyCare

EpicMyCare is the digital platform used by the Royal National Orthopaedic Hospital (RNOH) to provide patients with access to their health information. The platform is designed to enhance transparency, enable patients to view their medical records, appointment details, and communicate securely with healthcare providers.

Intersystem Healthshare

Intersystem HealthShare is a secure system that helps your healthcare providers share your medical information with each other. This ensures that your doctors and nurses have access to your complete health history, labs, medications, and other important details. By sharing information safely, it helps improve your care, avoid duplicate tests, and ensure everyone involved in your health is well-informed.

 

RNOH Tertiary Onsite systems

System

Purpose

Change Healthcare Radiology Station

Change Healthcare Radiology Station is a specialised computer system used by healthcare providers to manage and organize your medical imaging and radiology reports. It helps doctors schedule, track, and interpret your imaging exams such as X-rays, MRIs, and CT scans.

MedLIMS Histopathology

MedLIMS Histopathology is a specialised Laboratory Information Management System (LIMS) designed to support diagnostic pathology laboratories, particularly in histopathology. Histopathology is the medical discipline that involves examining tissues and cells under a microscope to diagnose various diseases, including cancer and infections.

Dexa Scan

Dual-Energy X-ray Absorptiometry (DEXA) scan is a quick, painless test that measures bone density to assess bone health and the risk of osteoporosis. The system collects and stores your medical information and scan results to support your healthcare.

Compucare Private Patients

Compucare is a private patient billing and administrative solution that helps hospitals and clinics manage their private patient services. It integrates with existing hospital systems, offering features like electronic patient records, enterprise billing, and electronic invoice submission, streamlining various aspects of private patient care.

Lincor Patient Entertainment

Lincor Patient Entertainment is a digital platform designed to enhance the patient experience in healthcare settings, including NHS hospitals. It typically provides patients with access to a range of entertainment options such as TV, movies, music, internet browsing, and educational content directly through bedside devices or in-room systems.

Vocera

Vocera provides hands-free communication devices, like the Smartbadge and Minibadge, that help nurses and doctors talk to each other easily using their voices. This means they can share important information quickly, get help faster, and take better care of you during your stay.

Point of Care Testing

During your appointment, a healthcare professional may perform rapid tests such as blood glucose, INR, or vital sign observations. This information will be stored securely as part of your medical record and used solely to support your care.

Legacy Clinical Data Viewer

Legacy Clinical Viewer is a new purpose-built application designed to provide access to legacy clinical patient data.

 

RNOH External systems

System

Purpose

NHS England Services

NHS England services where information is shared include the Personal Demographic Service (PDS), which is a national database containing patient details; the Summary Care Record (SCR), providing a summary of key patient information; e-Referrals, an electronic system used for transferring referrals from primary to secondary care; the Care and Health Identity Service (CHIS), which facilitates authentication and access to NHS digital services; and MESH, the Message Exchange for Social Care and Health, a secure messaging platform that enables communication between social care and health providers.

London Shared Care Record (ShCR)

London Shared Care Record

Health and care professionals securely share key information about you to support safer, more joined-up care. Only those involved in your care can see your record. You can opt out at any time.

More info: https://www.onelondon.online/

Opt-out: https://nclhealthandcare.org.uk/opting-out-of-the-joined-up-health-and-care-record/

Health Services Laboratories (HSL)

Health Services Laboratories (HSL) provides pathology and diagnostic laboratory services, including blood tests, tissue analysis, molecular diagnostics, and specialist testing to support patient diagnosis, treatment, and monitoring.

Steeper Meditech (Orthotics & Prosthetics)

Steeper Meditech collects and uses your personal and medical information to provide safe and effective prosthetic and orthotic care. We keep your information secure and only share it when it helps with your treatment or to meet safety standards

Everlight RIS / PACS

Everlight RIS (Radiology Information System) and PACS (Picture Archiving and Communication System) work together to manage and store medical imaging data and related patient information. RIS handles scheduling, reporting, and workflow management for radiology departments, while PACS securely stores and provides easy access to medical images like X-rays, MRIs, and CT scans for healthcare providers.

Primary Care (EMIS / TPP)

Primary Care (EMIS/TPP) are secure computer systems used by your GP practice to keep your medical records safe and organised. These systems help your GP access your information quickly to provide the best care.

Genesis

Genesis Inventory Management makes sure the right medical supplies are available for your treatment when needed. It does this without collecting or storing any of your personal information.

Digital Pathology

We are a partner in the National Pathology Imaging Co-operative (NPIC), a programme that uses digital technology to improve how pathology images (like microscope slides) are viewed and used. Your images and related information may be shared securely within NPIC to help improve diagnosis, develop new tests, and support research.

 

If the Trust develops any information systems it will conduct a data protection impact assessment (DPIA) to help identify and minimise the risks of your information being used incorrectly.

Your personal data will be kept in line with the recommendations set out by the Department of Health Management Code of Practice for Health & Social care:

 

Care Records

Record Type

Retention Start

Retention Period

Adult health records

Patient discharge or patient last seen

8 years

Adult social care records

End of care or patient last seen

8 years

Children’s records including midwifery, health visiting and school nursing

Discharge or patient last seen

25th or if the if the patient was 17 at the conclusion of the treatment records will be kept until their 26th birthday

Death of a patient

Patient records

10 years

Cancer / Oncology records of any patient

Diagnosis of Cancer

30 years or 8 years after the patient has died

Medical record of a patient with Creutzfeldt-Jakob Disease (CJD)

Diagnosis

30 years or 8 years after the patient has died

Record of long term illness or an illness that may reoccur

Discharge or patient last seen

30 Years or 8 years after the patient has died

 

Your records which have reached the end of their administrative life must be destroyed in as secure a manner as is appropriate to the level of confidentiality or protective markings they bear.  The methods used to destroy records must provide adequate safeguards against the accidental loss or disclosure of the contents.

A record of the destruction of records, showing their reference, description and date of destruction should be maintained and preserved by the department responsible for the records, so that the organisation is aware of those records that have been destroyed and are therefore no longer available.

You have the right to confidentiality under Data Protection Law, the Human Rights Act 1998 and the Common Law Duty of Confidentiality.

The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with. We do this through this privacy notice and patient leaflets.

The right of access – to information held about you. For further information please refer to the section “How can you gain access to the information that the Trust holds about you?”

The right to rectification – this is your right to have your personal data rectified if it is inaccurate or incomplete. If you believe that the information recorded about you is incorrect, you will need to tell us (rnoh.informationgovernance@nhs.net) so that we are able to contact the person who entered the information. We will correct factual mistakes and provide you with a copy of the corrected information. If you are not happy with an opinion or comment that has been recorded, we will add your own comments to the record so they can be viewed alongside any information you believe to be incorrect.

The right to erasure – this is also known as your ‘right to be forgotten’ where there is no compelling reason to continue processing your data in relation to the purpose for which it was originally collected or processed. Your health record is retained in accordance with NHS national guidance, and because of our obligation to keep health records, it is extremely rare that we destroy or delete records earlier than the recommended retention period. However, if you believe you have compelling grounds for having all or part of your record erased you should contact our Data Protection Officer, rnoh.informationgovernance@nhs.net. The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.

The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue relating to your health record that requires us to restrict processing, we will investigate your concerns. Please note it will not be possible to restrict processing while you are receiving care and treatment at the hospital.

The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process. At present we do not process any personal data that meets this requirement.

The right to object – this is your right to object to the hospital processing your health data because of your particular situation. Because of our obligation to keep health records, it is extremely rare that we would stop processing your data if you wished to continue to be treated by the hospital. If you believe you have compelling grounds for the hospital to stop processing your data, you should contact our Data Protection Officer, rnoh.informationgovernance@nhs.net. The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.

Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision would be taken without human intervention. While the hospital may use systems to determine how well a patient is, it does not replace clinical judgements when making decisions about your care.

If you have provided your consent, you have the right to withdraw your consent at any time. Please speak to your clinician or nurse if you would like to withdraw the consent that you have provided.

You have the right to lodge a complaint with the Information Commissioner Office (ICO) if you believe that the Trust has not complied with the requirements of the GDPR or the DPA with regards to your personal data. Please refer to the section, “How can you contact us with queries or concerns about this privacy notice?” or “How can you make a complaint?”

Under the General Data Protection Regulations (GDPR) and Access to Health Records Act, you have the right to request access to the information that we hold about you using the process known as a ‘Subject Access Request’ (SAR).

You may have the right to see what has been written about a deceased patient in the Trust and their other health records. Access is available to:

  • The patient’s personal representative (this will be the executor of the will or the administrator of the estate)
  • Any person who may have a claim arising out of the patient’s death

Please note that medical records are defined as a “chronological written account of a patient’s examination and treatment which includes patients medical history and complaints, the physician’s physical findings, the results of diagnostic tests and procedures, and medications and therapeutic procedures.”

If you want to view your medical records, you may not need to make a formal application. Nothing in the law prevents healthcare professionals from informally showing you your own records.

For further information please contact:

The Access to Health Records Officer, Royal National Orthopaedic Hospital NHS Trust, Brockley Hill, Stanmore, Middlesex, HA7 4LP

or Telephone: 020 8909 5366

or Email: rno-tr.MedicalRecords@nhs.net

 

If you have any queries or concerns regarding the information that we hold about you or you have a question regarding this privacy notice, then please contact our Information Governance Department:

Post: Information Governance Department, Data Protection Officer, Royal National Orthopaedic Hospital NHS Trust, Brockley Hill, Stanmore, Middlesex, HA7 4LP

Email: rnoh.informationgovernance@nhs.net

Telephone: 020 3947 0419

You can also find details of our registration with the Information Governance Commissioner online here:

A downloadable copy of this privacy notice is also available below

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. We would recommend that you contact our Information Governance Department initially to talk through any concerns that you may have.

It may also be possible to resolve your concerns through a discussion with our Patient Advice and Liaison Service (PALS) before you follow a more formal process:

  • Post: Complaints and PALS Service, Royal National Orthopaedic Hospital NHS Trust, Brockley Hill, Stanmore, Middlesex, HA7 4LP
  • Email: rnoh.complaints@nhs.net
  • Telephone: 020 8909 5717 / 5439 / 5741

If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:

For further information about GDPR please contact:
Data Protection Officer
Tel: 020 3947 0419
rnoh.informationgovernance@nhs.net

 

 

For further information about GDPR please contact:

Data Protection Officer
Tel: 020 3947 0419
rnoh.informationgovernance@nhs.net

Printing of this document is only valid on the day printed, please refer to the website for most up to date information:

https://www.rnoh.nhs.uk/patients-and-visitors/patient-information-guides/general-data-protection-regulation-gdpr-privacy-notice-patient-information

Page last updated: 14 November 2025