How we hold Patient’s medical records

Nuffield Health Hospitals have a mixture of paper records and electronic records that are used to keep the demographic and clinical information required to diagnose, plan treatment and deliver care to patients. We have a small number of our hospitals using a full electronic health record called TrakCare. This system allows the patient record to be accessed from any hospital location if the patient attends a different hospital for treatment. Access rights are based on the role performed by the staff member and are based on the principle of allowing the minimum level of permissions required for the staff member to perform their role.

Please note your consultants and medical practitioners are not employees of Nuffield Health and carry out services as independent practitioners and therefore handle and process patient information within their private practice as separate Data Controllers under the Data Protection Act. Processing of this information may involve your consultant sharing information with Nuffield Health, sending information directly to insurers for settlement of accounts as well as sending details of your treatment to your general practitioner.

All independent consultants and medical practitioners working with Nuffield Health are obliged to ensure data is kept confidential and secure and processed in accordance with all applicable data protection laws including the DPA 2018 and apply appropriate safeguards to protect information.

What information you may be asked to provide

Booking Your Clinic Appointment: The data taken/collected from you will vary depending on how your clinic appointment is booked.

Standard information taken regardless of method of booking will include:

  • Name
  • Gender
  • Marital status, religion, ethnicity (non-mandatory)
  • Postal Address
  • Telephone Number
  • Email (assistance for confirmation of bookings)
  • Date of Birth
  • GP Surgery

Some methods of booking may also include the following data being taken/collected:

  • Source of referral (e.g. GP, self-referral or dentists)
  • Card details for payment (even if you are an insured patient)
  • Referral specialty (e.g. Trauma and Orthopaedics, Ophthalmology, Urology, Gynaecology)
  • Employer or insurer and policy details or referral /authorisation code (if relevant)
  • Maximum session or maximum value allowed under insurer policy (if relevant)


Clinical Appointment

You will be asked to review an Agreement to Terms and Conditions form and confirm details such as your GP details and if relevant, your insurer as well as next of kin and emergency contact details. In addition, if your card payment details are not already on the system then you will be asked for these.

The appointment may include taking a history of your present condition, past medical history, social history including your occupation, previous treatment you have received and by whom. Other questions may be asked to allow the Clinician you are seeing to make an initial diagnosis, decide on any diagnostic tests required and decide upon any requirement to treatment for your condition.

Mental Health Information

Nuffield Health recognises the particular sensitivity of mental health information and the need to maintain confidentiality of any information disclosed. That is why we aim to ensure that notes of such clinic appointments are kept separate from Patient’s physical health records. Where our hospitals use electronic health records or booking systems, clinic rooms used will normally have to be booked under the relevant Consultants name. Medicines prescribing for mental health outpatient appointments will normally be made on paper and fulfillment of these prescriptions will need to be by an external pharmacy to avoid a record of these medicines being entered onto the physical health record of a patient.

Any patient attending as an in-patient for a surgical procedure and bringing their own mental health prescriptions with them should be aware these will have to be entered onto the same medication chart as all other medicines. As such it will be viewable by all staff requiring to do so.

Where we may collect your information from

As discussed above there are a number of avenues that you may come via to have your hospital appointment through Nuffield Health. Depending on which method this is and how your appointment is being booked will vary with how we initial receive information about you. So information could be coming from:

  • Yourself directly via a direct booking.
  • Through another health professional working for or outside of Nuffield Health (including the NHS).
  • You have previously had Hospital appointment through Nuffield Health and therefore your clinician may be able to see notes with regards to your previous treatment (this will vary depending on when you had treatment and in which location).
  • Through your insurer or employer.

Why we need this information and how we might use it

We are required to collect the information that we have outlined above for a number of different purposes, some of which but not all, are listed below and may vary depending on who is paying for your treatment.

Data protection – personal data is required so that we can complete appropriate checks, such as call verification, to ensure we are speaking to the right person.

To provide a smooth patient journey – email addresses and telephone numbers allow us to provide booking confirmation and contact you to book and confirm future appointments.

Clinical treatment – to construct the most effective treatment plan for your condition or symptoms.

A&E – individual’s medical history may be disclosed to an NHS A&E department as part of an emergency treatment, should this be required, as well as individual’s personal data and special category data may be shared with third parties (i.e. employer) in the vital interest of both the individual and other natural persons where the individual is physically or legally incapable of giving consent.

The Private Healthcare Information Network (PHIN) - as part of a UK-wide programme to improve the public’s access to information on the quality and outcome of private healthcare, we may share some of your personal data with PHIN but this will be subject to your specific consent.

Billing – a certain amount of information will be shared with the bill payer. If you are using your insurance to cover treatment, the bill payer will be your insurer, but it could also be your employer or you may be self-funding your treatment (please see ‘payment’ below for more information about card details that will be collected as part of your patient journey).

Payment – in accordance with our standard processes all patients are required to provide a credit or debit card when commencing their treatment. Nuffield Health will not store your card details but instead will use them to obtain an algorithmically generated token. Tokenisation is a method used to safeguard the security of your data by substituting your card details with non-sensitive information. Only the token will be stored by us and will be used to acquire payment if required. This will be in the case of you self-funding your treatment or if an invoice for your policy excess, cancellation or ‘did not attend’ charge is not paid.

When things go wrong

Nuffield Health pride ourselves with the quality of our services and consistent positive customer satisfaction, however, we understand that in a small number of cases you may have cause to raise a concern regarding an element of your patient journey.

It is important that Nuffield Health learn from these episodes to continually enhance services and as such we carry out thorough investigations. In order to fully investigate your concern we may need to share information with our compliance team, senior leaders, lawyers or other parties not directly involved with your care. For example, if you were referred to the Hospital under a particular specialty, via your insurer, we might need to discuss your concern with your insurer in order to fully investigate it.

In any case, we will only share a limited amount of information, as little as is necessary to investigate the concern. We may also need to share details of your concern with your treating clinician or other professionals involved in your care for the purposes of the investigation.

If the concern has come via a third party e.g. a regulator, body or solicitor, we may need to disclose your data with them in order to resolve, defend or investigate a concern.

Who your personal data may be shared with

There are variations on who your data may be shared with depending on who is your bill payer. These differences are outlined below.

Handovers to other health professionals – during your treatment journey it may be necessary to share information, with regards to you, with other health professionals who are involved in your direct care, e.g. your GP or a consultant. This could be with regards to referrals to the health professional or reporting back the results of their referral.

Billing – if your insurer or your employer are covering the cost of your treatment we will need to share enough information with the bill payer to ensure they are able to pay for the treatment.

Payment - all patients will have card details collected to take payment up front or to cover any shortfall (for insured patients). Card details are not stored by Nuffield Health. They are stored by a third party card processing provider, who provide Nuffield Health with a non-sensitive payment token to allow us to take payments from that card if necessary to cover shortfall.

Authorisation of treatment (where relevant) – depending on your bill payer we may have been asked to send reports to authorise treatment or with regards to your treatment outcomes. In order to proceed we may need authorisation from the bill payer (i.e. – your employer or your insurer) to continue or commence treatment. We will only send the most limited amount of data as is necessary to allow the bill payer to make this assessment.

Research – to continue to improve clinical treatment Nuffield Health may use non- identifiable data as part of a research project or an assessment of our services.

Fair and Lawful Processing

Each organisation is required to demonstrate that they are processing your personal data fairly and lawfully. There are 6 conditions in the Data Protection legislation and we are required to evidence that for all personal information we use and for each use, 1 of these conditions applies. . Consent is probably the condition that has gained the most attention but we only rely on consent in limited circumstances, when you have a genuine choice about the processing and no other condition applies e.g. to disclose a medical report to your insurer.

We will mainly be processing your personal data based on the following conditions:

  1. Performing a contract
    The processing of your personal information is necessary to do something we are required to do under a contract we have with you e.g. in order to provide you provide you with your treatment in accordance with your patient terms and conditions.
    If you ask us to do something before entering into a contract with us e.g. if you ask us to review your notes before you come in for your procedure it will be necessary for us to request your notes from the doctor you have seen previously in order to fulfil your request.
  2. Emergency
    The processing of your personal information is necessary in order to protect you or another person. Nuffield Health rarely relies upon this condition. In the event your information is needed if you are in danger or your life is at risk we will process your information e.g. if you had to be admitted as an emergency to A&E we may be asked to provide information to support the clinical staff in A&E with their life saving treatment.
  3. Achieving a Legitimate Aim
    The processing of your personal information is necessary to allow Nuffield Health to achieve a specific and legitimate aim. The aim that Nuffield Health want to achieve will be balanced against your rights and how the processing of your information might impact you during the course of achieving that aim. This condition is normally relied upon where the processing is essential for your treatment, but it enhances your experience e.g. having location information available to our booking staff so they can be as helpful as possible when booking in future appointments.
  4. Consent
    Where no other condition is available and you have a genuine choice i.e. that the service won’t be negatively impacted if you opt out or change your mind in the future. As you can see from the other conditions we rely on they all require you information to be ‘necessary’ for the purpose. Where the processing of your information isn’t ‘necessary’ we will give you the option by asking for your consent and you are free to decide whether you want the processing of your information to happen or not e.g. if you want your information shared with the National Joint Registry.
  5. Treatment/Care
    The processing of your personal information is necessary for your treatment, including your diagnosis and the general management of the systems and the clinical services we offer. You may have noticed that this condition is similar to the first condition in relation to performing a contract but it specifically relates to healthcare and the medical information we will need to process. As this condition relates to health information the processing of your information needs to not only be necessary to achieve these purposes but will still be subject to patient confidentiality. An example of where this condition will be relied upon is: to allow the sharing of a scan between a radiographer and the consultant carrying out the procedure.

How long we will keep your Personal Data for?

The length of time that Personal Data is stored is set by national legislation and is outlined in Nuffield Health Privacy Policy.

Automated Decisions

Each Patient journey is different and our highly skilled clinical staff team will ensure that you receive a bespoke patient journey that is right for you. As such, all of our decision making is based on the expert opinion of our team and no part of your journey will be based on wholly automated decisions.

Further Information

For further information about how your data may be processed or to ask any questions please raise this with the staff involved in your treatment. If you are not satisfied with how we handle your personal data or a request to exercise one of your rights in relation to your data, you can contact the Data Protection Officer on

Should you remain dissatisfied you have a right to complain to the Information Commissioner’s Office on 0303 123 1113 or through their website