Cookies and Internet Protocol (IP) logging

When you visit our website, our server will record your computer's IP address (the unique numerical address given to every computer connected to the Internet) and the time and duration of your visit.

This website uses cookies, a piece of data that may be stored on your computer when you visit a website. Our website will store four Google Analytics cookies on your computer; these cookies store the anonymised IP address (the last digit group of the IP is removed before storage).

Cookies and your IP address will be used to track the pages you visit on our website. We will use this information to analyse the way our site is used and to administer and improve the accessibility of our site. We will not use it for any other purpose. You may disable the use of cookies in your Internet browser without affecting your use of our website.

What is a Privacy Notice?

A privacy notice is a statement explaining how personal and confidential information about patients, service users, and visitors is collected, used and shared within the Royal National Orthopaedic Hospital NHS Trust (“RNOH” or “Trust”). Different organisations use different names for privacy notices and it can sometimes be referred to as a privacy statement, a fair processing notice or a privacy policy. There is also a separate privacy notice available for the information we collect about staff as part of our responsibilities as an employer.

The RNOH is an acute hospital and it provides healthcare services to both the UK and worldwide. Our vision is to be a world-leading orthopaedic hospital with the best patient care and staff experience in the NHS.

Everything the Trust does is underpinned by our four core values:

  • Patients first, always;
  • Excellence, in all we do;
  • Trust, honesty & respect, for each other;
  • Equality, for all.

We are monitored by a number of different National Bodies, including:

  • NHS England
  • Information Commissioner’s Office (ICO)
  • Care Quality Commission (CQC)
  • Department of Health (DH)
  • NHS Improvement

Our consultants, doctors, nurses and healthcare professionals are also regulated and governed by their respective professional bodies.

The Trust would like to demonstrate its commitment to openness and accountability. We recognise the importance of protecting personal and confidential information in all that the Trust does to ensure that we meet our legal responsibilities and other duties, including compliance with the following:

  • Data Protection Act (DPA)
  • Human Rights Act
  • Access to Health Records Act
  • Freedom of Information Act
  • Health and Social Care Act
  • Public Records Act
  • Copyright Design and Patents Act
  • Re-Use of Public Sector Information Regulations
  • Computer Misuse Act
  • Common Law Duty of Confidentiality
  • NHS Care Records Guarantee for England
  • Social Care Records Guarantee for England
  • International Information Security Standards
  • Information Security Code of Practice
  • Records Management Code of Practice
  • Accessible Information Standards
  • General Data Protection Regulations (GDPR)

Your information could be collected in a number of ways by us. This might be via a referral from your GP or by another healthcare professional you have seen. Perhaps information may have been provided directly through you to us from a private health insurance company or by a third party funding your treatment. Information may have been collected over the telephone or by a form that you have completed.

There may also be times when information is collected from another NHS Trust emergency department (A&E) where you may have been unconscious or unable to communicate. In such cases, information may be collected from your relatives or from your next of kin.

The information that we collect about you may include details such as:

  • Name, address, telephone, email, date of birth and next of kin (financial details for self-paying patients)
  • Details we have had from you during your attendance of appointments
  • Details and records of treatment and care, notes and reports about your health, including any allergies or health conditions
  • Results of X-rays, scans, blood tests, etc.
  • Other relevant information collected from people who care for you and who know you well, such as health professionals, relatives and carers

Where the Trust processes special categories of information in relation to your racial or ethnic origin, religious and philosophical beliefs, Trade Union membership, biometric data or sexual orientation, the Trust will always obtain your explicit consent to those processes unless this is not required by law or the information is required to protect your health in an emergency. Where the Trust processes data with your consent, you have the right to withdraw that consent at any time.

The Trust collects personal and confidential information about you to support the delivery of your appropriate healthcare and treatment. In order to provide you with the best patient care, the Trust must keep records about you, your health and the care that we provide, or plan to provide to you. It is important for the Trust to provide the right care to meet your individual needs.

The Trust uses your information to ensure that:

  • The right decisions are made about your care
  • Your treatment is safe and effective
  • We can work well with other organisations that may be involved in your care

This is important because having accurate and up-to-date information will assist us in providing you with the best patient care. It also ensures that all information is readily available to other health professionals or specialists within our Trust or in another part of the NHS.

There is also the potential for your information to help improve healthcare and other services across our Trust and within the wider NHS. Therefore, your information may also be used to help with:

  • Ensuring that our services can be planned to meet the future needs of patients
  • Reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care
  • Evaluating and improving patient safety
  • Training healthcare professionals
  • Conducting clinical research and audits, and understanding more about health risks and causes in order to develop new treatments
  • Preparing statistics on NHS performance and monitoring how we spend public money
  • Supporting the health of the general public
  • Government and NHS policies

The GDPR and Data Protection Act has strict principles governing our use of information and our duty to ensure that it is kept safe and secure. Your information may be stored using electronic or paper records, or a combination of both. All our records are restricted so that only authorised individuals have access to them. Restricted access might be through the use of technology or other environmental safeguards.

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you have provided to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you, or there are other circumstances which require us to have your information.

Under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you about how your information will be used, and allow you to decide if and how your information can be shared, and with whom.

Every NHS organisation has a senior person that is responsible for protecting the confidentiality of your information and enabling appropriate sharing. This person is known as the Caldicott Guardian and, within a Trust, this role sits with the Medical Director. You can find more details online about the RNOH medical director.

To help provide you with the best possible care, sometimes the Trust will need to share your information with others. However, any sharing of information will always be governed by specific rules and laws. We may share your information with a range of health and social care organisations for a specific reason and we will have a duty to tell you why they will be contacting you.

The Trust works with a number of other NHS organisations and independent treatment centres and clinics to provide you with the best possible care. To support this, your information may be shared with them on a secure basis.

For your benefit, we may also need to share some of your information with authorised non-NHS authorities and organisations which are involved in your care. This might include organisations such as local councils, social services, education services, the police, voluntary and private sector providers, private healthcare companies, third party, and embassy sponsors. In such circumstances where we are required to use your personal information, we will only do this if:

  • the information is necessary for your direct healthcare
  • we have received written consent from you to use your information for a specific purpose, e.g. concern/complaint raised by your representative on your behalf
  • there is an overriding public interest in using the information, e.g. in order to safeguard an individual or to prevent a serious crime
  • there is a legal requirement that will allow us to use or provide information, e.g. a formal Court Order or summons
  • we have permission to do so from the Secretary of State for Health to use certain confidential patient information when it is necessary for our work
  • emergency planning reasons such as protection of the health and safety of others. Typically these relate to severe weather outbreaks of diseases, e.g. seasonal flu, major transport incidents, and terrorism.

Where sharing information involves a non-NHS organisation, a specific information sharing agreement will be put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.

Unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, we will not disclose any information to third parties which can be used to identify you without your consent.

The Trust at times may outsource a limited number of administration and IT support services to external organisations. These companies are based within the European Economic Area and all services are provided under specific contractual terms which are compliant with legislation.

Only organisations which have a legitimate requirement to have access to your information will be allowed to and only whilst adhering to strict controls and rules. The Trust will not sell your information for any purpose and will not provide third parties with your information for the purpose of marketing or sales.


Healthcare records are joining up across north central London to improve the services you receive. 

To help health and care professionals make quicker and safer decisions about your care, wherever they are treating you, healthcare records are joining up across Barnet, Camden, Enfield, Haringey and Islington (north central London). This is part of the North London Partner’s Health Information Exchange / HealthIntent project.

What does this mean for you?

Health and care professionals have shared information on paper for many years – we are now able to do this using digital technology.

When you visit one of our hospitals or your GP, your healthcare worker will have all the information to hand to treat you effectively and efficiently. You won’t need to relay the full story of your symptoms, what happened or the medicines you were prescribed, as this will be already accessible from your notes.

Information will be available in real time – or in some cases within 24 hours – and will ensure your health and care teams have the most up to date information about your care. 

Under GDPR regulations, information will only be shared and accessed on a strictly need to know basis by health and care professionals across the five borough of Barnet, Camden, Enfield, Haringey and Islington and only for the purposes of direct care. Data will always be securely held.

What are the benefits of joined-up records?

For people using health and care services, there are many advantages to having joined-up records including:

  • Everyone involved in your direct care will have the whole picture
  • When you visit somewhere different for care or meet a new care professional, they will have access to your health and care information and you won’t need to repeat your story
  • The results of common tests (for example blood tests) will be available to everyone involved in your care, regardless of where the test took place, reducing the need to repeat them or obtain printed results

For us and other health and social care professionals:

  • We will have up-to-date information to plan and improve your care and make more informed decisions
  • We will have to spend less time finding out relevant information from different health and social care organisations and IT systems, and won’t have to spend time recording duplicate information across records 
  • We can work as a team across north central London to identify opportunities for improvement, such as seeing if there needs to be more focus on providing physical health checks for people with learning disabilities

More information on the benefits and what is means for you is available on the North London Partner's website here.

Who else is involved?

Other health and care organisations in the North Central London’s sustainability and transformation partnership (NCL STP) such as GP practices and other hospitals/providers across the boroughs of Barnet, Camden, Enfield, Haringey and Enfield. 

Do I have a choice?

Due to the COVID-19 (coronavirus) pandemic and in the public interest all health and care organisations are legally required to share and process data. This is to ensure health and care professionals have access to vital information to make quicker, safer decisions about your care. The national data opt-out does not apply to the disclosure of confidential patient information where there is an overriding public interest in the disclosure. Therefore, the national data opt-out will not apply to data sharing for the purposes of responding to Covid-19. Please read more here:

Where can I find out more?

Read more about this on the North London Partners website.

Information also available in a range of languages and formats here.

You can find the Royal National Orthopaedic Hospital NHS Trust privacy notice here:


Sometimes the Trust may be required by law to disclose or report certain information which may include details which identify you. However, this is only done after formal authority is granted by the Courts or by a qualified health professional. Reasons may include to report a serious crime or to identify of an infectious disease that may endanger the safety of others. Where this disclosure is necessary, only the minimum amount of information would be released.

The Trust may also be required to send statutory information to the Department of Health, which is then held centrally and strictly controlled by the NHS Information Authority. This organisation takes advice from an independent board called the Security and Confidentiality Advisory Group, which reports to the Government Chief Medical Officer. There may also be occasions when the Trust is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure that we are operating legally.

Some health records are needed to teach student clinicians about rare cases and rare diseases. Without such material, new doctors and nurses would not be properly trained to treat you and others like you. It is also possible that individuals, such as student nurses, medical students and healthcare cadets are receiving training using such information to care for patients. If staff would like a student to be present whilst treating you, they will always ask for your permission to do so and you have the right to refuse without this affecting the care or treatment that you are receiving.

We also undertake clinical research and audits within the Trust, and your permission may be required for some of this work if we are using your information. If you agree to be involved, a full explanation will be given and your consent will be obtained before proceeding. Your consent may not be required if the information being used has been anonymised. This means that it cannot be used to identify you or any other individual person.

The Trust may use automated decision making (including profiling) in limited circumstances in the future. This will only be used if there it is evidence that it could improve your treatment whilst at the Trust.

You have the right to refuse (or withdraw) consent to your information being shared at any time. This is also referred to as ‘opt-out’. If you choose to prevent your information from being disclosed to other authorised professionals involved in your care, it might mean the care that can be provided to you is limited. It may also mean that it might not be possible to offer you certain treatment options. The possible consequences of withholding your consent will be fully explained to you at the time should this situation occur.

You also have the right to ‘opt-out’ of having your information used in any mandatory audits which the Trust is involved in. If this is the case, you should write to our Information Governance team (using the contact details on the front of this booklet) providing your name, address, date of birth and hospital or NHS number.

National Data Opt-Out

The Royal National Orthopaedic NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services


This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.


How do I opt out or find more information?

To find out more or to register your choice to opt out, please visit the Your NHS Data Matters.  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can change your mind about your choice at any time.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

The Trust complies fully with the national data opt-out and does not use or share information beyond individual care without local patient consent.


The Trust securely stores your information electronically and in paper form. We use different systems depending on the treatment you are having and these are subject to change:

System Purpose
Compucare Private patients administration and charging
ICE ICE allows tracking of clinical requests from wards and clinics, such as blood tests
Tiara Appointment booking systems for patient appointments
Picture Archive Communication System (PACS) Diagnostic imaging system
Patient Outcome Data (POD) Recording outcomes of patient treatment
iCS Core Patient system for managing patient information
NoteOn & C-Store Written patient records, clinic lists that have been electronically scanned and stored
C-Scribe Patient letter transcription
e-Referrals Electronic patient requests from GPs
InfoFlex Cancer patient treatment and management system

If the Trust develops any information systems it will conduct a data protection impact assessment to help identify and minimise the risks of your information being used incorrectly.

Your personal data will be kept in line with the recommendations set out by the Department of Health Management Code of Practice for Health & Social Care:

Record Type     Retention Start Retention Period
Adult health records Patient discharge or patient last seen 8 years
Adult social care records End of care or patient last seen 8 years
Children’s records including midwifery, health visiting and school nursing Discharge or patient last seen 25th birthday or, if the if the patient was 17 at the conclusion of the treatment, records will be kept until their 26th birthday
Death of a patient Ptient records 10 years
Cancer / Oncology records of any patient Diagnosis of Cancer 30 years or 8 years after the patient has died
Medical record of a patient with Creutzfeldt-Jakob Disease (CJD) Diagnosis 30 years or 8 years after the patient has died
Record of long term illness or an illness that may reoccur Discharge or patient last seen 30 years or 8 years after the patient has died

Your records which have reached the end of their administrative life must be destroyed in as secure a manner as is appropriate to the level of confidentiality or protective markings they bear. The methods used to destroy records must provide adequate safeguards against the accidental loss or disclosure of the contents.

A record of the destruction of records, showing their reference, description and date of destruction should be maintained and preserved by the department responsible for the records so that the organisation is aware of those records that have been destroyed and are therefore no longer available.

You have the right to confidentiality under Data Protection Law, the Human Rights Act 1998 and the Common Law Duty of Confidentiality

The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with. We do this through this privacy notice and patient leaflets.

The right of access – to information held about you. For further information please refer to the section “How can you gain access to the information that the Trust holds about you?”

The right to rectification – this is your right to have your personal data rectified if it is inaccurate or incomplete. If you believe that the information recorded about you is incorrect, you will need to tell us ( so that we are able to contact the person who entered the information. We will correct factual mistakes and provide you with a copy of the corrected information. If you are not happy with an opinion or comment that has been recorded, we will add your own comments to the record so they can be viewed alongside any information you believe to be incorrect.

The right to erasure – this is also known as your ‘right to be forgotten’ where there is no compelling reason to continue processing your data in relation to the purpose for which it was originally collected or processed. Your health record is retained in accordance with NHS national guidance, and because of our obligation to keep health records, it is extremely rare that we destroy or delete records earlier than the recommended retention period. However, if you believe you have compelling grounds for having all or part of your record erased you should contact our Data Protection Officer, The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.

The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue relating to your health record that requires us to restrict processing, we will investigate your concerns. Please note it will not be possible to restrict processing while you are receiving care and treatment at the hospital.

The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process. At present we do not process any personal data that meets this requirement.

The right to object – this is your right to object to the hospital processing your health data because of your particular situation. Because of our obligation to keep health records, it is extremely rare that we would stop processing your data if you wished to continue to be treated by the hospital. If you believe you have compelling grounds for the hospital to stop processing your data, you should contact our Data Protection Officer, The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.

Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision would be taken without human intervention. While the hospital may use systems to determine how well a patient is, it does not replace clinical judgements when making decisions about your care.

If you have provided your consent, you have the right to withdraw your consent at any time. Please speak to your clinician or nurse if you would like to withdraw the consent that you have provided.

You have the right to lodge a complaint with the Information Commissioner Office (ICO) if you believe that the Trust has not complied with the requirements of the GDPR or the DPA with regards to your personal data. Please refer to the section, “How can you contact us with queries or concerns about this privacy notice?” or “How can you make a complaint?”

Under the General Data Protection Regulations (GDPR) and Access to Health Records Act, you have the right to request access to the information that we hold about you using the process known as a ‘Subject Access Request’ (SAR).

You may have the right to see what has been written about a deceased patient in the Trust and their other health records. Access is available to:

  • The patient’s personal representative (this will be the executor of the will or the administrator of the estate)
  • Any person who may have a claim arising out of the patient’s death

Please note that medical records are defined as a “chronological written account of a patient’s examination and treatment which includes patients medical history and complaints, the physician’s physical findings, the results of diagnostic tests and procedures, and medications and therapeutic procedures.”

If you want to view your medical records, you may not need to make a formal application. Nothing in the law prevents healthcare professionals from informally showing you your own records. For further information please contact; The Access to Health Records Officer, Royal National Orthopaedic Hospital NHS Trust, Brockley Hill, Stanmore, Middlesex, HA7 4LP or Telephone: 020 8909 5366 or Email:

If you have any queries or concerns regarding the information that we hold about you or you have a question regarding this privacy notice, then please contact our Information Governance Department:

Post: Information Governance Department, Data Protection Officer, Royal National Orthopaedic Hospital NHS Trust, Brockley Hill, Stanmore, Middlesex, HA7 4LP


Telephone: 020 3947 0419

You can also find details of our registration with the Information Governance Commissioner online here:

A downloadable copy of this privacy notice is also available below

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. We would recommend that you contact our Information Governance Department initially to talk through any concerns that you may have.

It may also be possible to resolve your concerns through a discussion with our Patient Advice and Liaison Service (PALS) before you follow a more formal process:

  • Post: Complaints and PALS Service, Royal National Orthopaedic Hospital NHS Trust, Brockley Hill, Stanmore, Middlesex, HA7 4LP
  • Email:
  • Telephone: 020 8909 5717 / 5439 / 5741

If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:

For further information about GDPR please contact:
Data Protection Officer
Tel: 020 3947 0419

Related Documents