How we handle patient personal data at The London Clinic

This page sets out how we handle your data when you are a patient with us.

This patient privacy notice is in addition to, but does not override, our primary privacy notice.

1. Who ‘we’ are 

When we outline to you how we take care of your data you will notice we use the words ‘the clinic’, ‘we’, ‘us’ or ‘our’. This means we are referring to The London Clinic (also known as Trustees of The London Clinic Limited). We are a limited company and charity registered in England and Wales. Find out more information about our company and charity status.  

We are, in almost all circumstances, what is called the ‘Data Controller’ of your personal data. We are responsible for deciding how we hold and use your data, for taking care of your data and ensuring that anyone we work with, who might need to access your data, also takes care of it and follows our rules. If there is ever a situation where another organisation or person is the Data Controller of your data, we will let you know.   

Before we explain what data we collect, why we collect it and what we do with your data, if you have any questions or concerns, you can reach our Data Protection Officer via emailing  

What we do with your data

Yes, if you are a current, previous, planned, or referred patient. 

If you are a current, previous, planned or referred patient, then we may have your health and medical data, which is considered special category data. We process such data to provide your care and to ensure we meet our medical legal obligations. We may also process your race and ethnic origin data and/or your sexual orientation data as set out in Section 2 below. 

Yes, via various physical and digital methods, including this notice. 

No, our lawful basis for providing your care is our contract with you. We only rely on consent for the processing of your personal data in limited circumstances, e.g. to keep you informed of our services, where you wish to participate in a clinical research project or clinical trial etc. 

Yes, we use your data for various analytical purposes (i.e. clinical research, evaluation of our services, outcomes and wellbeing analysis etc.). We always process such data with a lawful basis in line with our regulatory obligations (for more information about our lawful basis for processing your data please see Section 4 below). 

We may share your data with other people where it is necessary for the delivery of your care, our compliance with a legal obligation, the defence of a legal claim or with your consent. 

No, never! 

Yes, but only with your consent. 

Yes, The London Clinic has an extensive Records Retention Policy to ensure we only keep information only for as long as we need to. 

Yes, alongside applying industry best practice, The London Clinic are compliant with the NHS’s Data Security and Protection Toolkit (‘DSPT’).

Yes, all staff receive training on a regular cycle. 

Yes, we only permit access to those with a legitimate power or reason to access your information. 

Yes, where your rights apply, we will process your request accordingly, and where they do not apply, we will explain this to you.  

2. What data we collect from you 

We will need different pieces of information from you for different purposes which will be driven by your interaction with us. We will always keep the data we need down to a minimum, and internally will ensure that only those with a legitimate need to see your data can do so.  

As a summary, the sorts of data we collect fall into the following categories:  

This will include your basic contact details and ways for us to identify you. For example, your name, home address, email address, date of birth etc.  


We need to process this data to verify your identity and/or respond to your query.  


This will include any information you provide us as part of an enquiry which may include information relating to your physical and/or mental health.  


We will only process your health and medical information at your request and only where it is relevant to your query.  

This will include your ethnicity or race or any other similar data that might be relevant. 


We may need to know details of your ethnicity in order to ensure we meet your specific needs, where medically relevant, or to meet our obligations under applicable law.  

This will include your religious beliefs and religious based requests. 


We do not openly request this information. Should this information be provided, it will be processed only where and to the extent it is medically relevant or to support with religious accommodations. 


Where medically relevant, we may need to know details of your sexual preferences, sex life, and/or your gender identity in order to ensure we meet your specific needs and/or provide your care. 

This will include details of your genetic characteristics or genetic sequence. 


Where medically relevant,  we may process your genetic data in order to provide your care. 

This will include details of your bank cards, bank account, insurance details or other financial data depending on how you choose to pay for any of our goods or services. 


Where we need to take payment for any goods or services, we will need your financial data. This is kept to a minimum and secured to ensure a safe transaction in line with our compliance obligations including, but not limited to, Payment Card Industry Data Security Standard (‘PCI DSS’).  

This will include details of your next of kin (name and contact details) or a family medical history. We will ask for family member names etc for a medical history only where relevant.  


We may need to collect data on other people. For example, your next of kin for contact purposes or details of family medical conditions relevant to your care.  

3. How we lawfully process your data 

We use data for a range of different purposes. These range from needing your consent to send you news and updates about us, through to meeting legal obligations placed on us under English Law as a healthcare provider where we must have certain pieces of information about those we care for. These include, but are not limited to: 

  • To admit you as a patient, assess and deliver your medical and care needs, and consult with your clinician. We may process your contact & demographic, and/or special category data to provide our contracted services and deliver healthcare to you; 
  • To protect your or another person’s vital interests. We may process your personal or special category data if you are in danger or your life is at risk; 
  • To handle your queries or investigate your complaint. Depending on the nature of your query or complaint, we may use your identity, contact, financial, transaction, payment, and/or special category data to respond or investigate. We may process this information under the following legal grounds: performance of a contract, legitimate interests, and/or provision of medical care; 
  • To obtain your feedback, conduct analysis or evaluate our services. We may use your contact, demographic and/or special category data. We may process such information under the following legal grounds: legitimate interests or (explicit) consent; 
  • To ensure ongoing care. We may share information relating to your medical condition or diagnosis with your referrer, the NHS, international medical service or other independent healthcare providers. This is for our legitimate interests and to ensure the ongoing provision of your care; 
  • To enable payment/treatment authorisation, manage your account and/or handle any insurance claims. We may share your basic identifiers, demographics and/or medical reports with your insurer and/or third-party sponsor. This is necessary for the performance of our obligations or your counter-obligations under our contract with you and for the management of our healthcare system and/or the establishment, exercise or defence of a legal claim; 
  • To process payment for your medical care. We may process your payment details and other financial information. That said, we will not store your payment card details but instead use specialised third-party payment processors; 
  • To manage & maintain our IT systems and administer and protect our business. We may process your identity, contact and technical data for troubleshooting, data analysis, testing, systems maintenance and reporting. This is necessary for our legitimate interests and, in some cases, to comply with our legal obligations. 
  • To conduct clinical research. We may use your identity, contact and demographic, and/or special category data with your (explicit) consent. 
  • To submit data to national health initiatives or registries. We may share your personal and/or special category data with national and other professional research or audit programmes and registries where we are legally required to, where it is necessary for reasons of public interest in the area of public health, for our legitimate interest in helping with medical research or with your (explicit) consent. Where personal data identifying you is not required, we will avoid using it as much as possible and may either anonymise the data or obfuscate your details; and 
  • To assist in protecting the public against dishonesty, malpractice or other seriously improper behaviour for example, investigating complaints, clinical concerns, regulatory breaches or investigations. Where we are subject to regulatory bodies (such as the Care Quality Commission) we are under an obligation to share data with them in order progress and investigate the matter. Where personal data identifying you is not required, we will avoid using it as much as possible and may either anonymise the data or obfuscate your details.   

If, after reading the pages relevant to how we are supporting you, you have any further queries then please contact our Data Protection Officer or your Consultant.  

4. Where we get your data from 

We very rarely obtain information about you without your prior knowledge. We will collect your personal data either from you directly, from your Consultant or from a referring body.  

If we receive a piece of information from your Consultant, General Practitioner (‘GP’), NHS Trust, independent healthcare provider, insurer, international medical service or family member, you should know about it prior to us receiving the data or we may confirm we have received it as part of your interaction with your care team.  

5. Who we share your data with 

Where possible we avoid sharing your data with anyone outside of The London Clinic. There will be, however, situations where this is just not possible, and a third party will need to access or be given a copy of your personal data. The typical examples of who we share data with includes: 

Consultants who are Data Controllers in their own right

For example, in order to deliver your care.

Suppliers or collaborators

For example, in order to provide bespoke 3D prosthetics or to support our IT infrastructure.

Regulators, authorities, or government bodies

For example, in order to resolve a complaint that has been raised.

Professional advisers, including external legal advisors, insurance companies, and medical experts

For example, in order to resolve a legal claim or dispute, to provide pre and/or post procedure reviews.

National and other professional research or audit programmes and registries

Approved researchers

Only with your consent.

Your GP, NHS Trust, international medical service or other relevant healthcare organisation

Only at your request, for our legitimate interests, where it is required for the provision of medical care or in an emergency

Third parties for the purposes of debt collection

Third-party payment processors

For the avoidance of doubt, the clinic will not store any of your payment card details.

Delivery companies

For the purposes of transportation.

Third parties for health, wellbeing & patient safety analysis

Third party service providers

For the purposes of storage of information and confidential destruction.

Where personal data identifying you is not required, we will avoid using it as much as possible and may either anonymise the data or obfuscate your details. 

National Data Opt-Out

The national data opt-out is an NHS Digital service which allows an NHS patient to opt out of their confidential patient information being used for research and planning. Find out more about the National Data Opt-Out programme.

6. Where in the world your data is physically sitting 

We use systems, technology and/or support vendors who may store or have access to physical or cloud storage which resides both in the UK and abroad. This includes countries both within the European Economic Area (‘EEA’) and, in limited circumstances, those further afield, for example the United States of America.  

Where we store or share personal data with a third party in a country outside of the UK or EEA, we will put appropriate safeguards in place to protect that data in accordance with the applicable Data Protection Laws and the ICO’s guidance. These range from a contract with that third-party supplier through to technical measures to protect it while it gets there.  

We may also need to share your data with a third party in a country outside of the UK if you are a resident of another country and that third party is authorising or providing part of your care.  

7. How long we keep your data 

We only keep your data as long as it is required either by English Law, health regulatory best practice, codes of practice or our own legitimate business needs in line with our corporate policies.  

The full range of retentions varies per record, some are only kept short-term, and some kept more long-term if they relate to legal matters or long-term medical conditions. Below are the considerations we use to determine the appropriate retention period: 

  • The amount, nature, and sensitivity of the personal data
  • The potential risk of harm from unauthorized use or disclosure of your personal data
  • The purposes for which we process your personal data and whether we can achieve those purposes through other means  
  • The applicable legal, regulatory, tax, accounting or other requirements. 

8. How we protect your data 

As you can appreciate, we cannot give you the full list of specific measures we have in place to prevent your data from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed. However, please rest assured that we are committed to ensuring a high level of protection for your data while it is in our management.   

Examples of some of the measures we have in place include:  

  • Agreed organisation-wide standards on security and data handling  
  • IT technical controls to limit access to your personal information only to those employees, agents, contractors and other third parties who have a business need-to-know
  • Physical security controls on our buildings and wards  
  • Contractual controls with third parties (‘our house, our rules’)
  • Training and awareness for all employees and Consultants 
  • Key roles in our organisation with specialist knowledge on Information Governance, Data Protection and Cyber Security to ensure your information is always protected. 

9. What your rights are in connection with your data 

Where we use your information with your consent you have a lot of control of how that data is used and shared by The London Clinic. However, where we are using your data under a legal obligation or other grounds, your rights under Data Protection Laws are more restricted. For example, where we feel we need to share or use data to save your life very few of the Data Protection rights apply.  

A summary of all the Data Protection rights and how they apply to your interactions with us is below:  

This is known as a data subject access request whereby you can receive a copy of the personal data that we hold about you.  This right applies in all circumstances, however there might be some scenarios where we cannot provide you with some of the information requested (i.e. to protect the rights of others or due to legal privilege/confidentiality). If that is the case, we will explain this to you as part of our response to your request.  

Make a data subject access request

You can correct any incomplete or factually inaccurate personal data that we hold about you. It is important to understand that this right does not extend to matters of opinion, such as medical diagnoses. This right applies in all circumstances, however there might be some scenarios where we cannot retrospectively edit your record. If that is the case, we will explain this to you as part of our response to your request.

We cannot always fulfil your request if there are specific legal reasons requiring us to retain your personal data. We will explain these to you, if applicable, when responding to your request.   

You can ask us to delete or remove your personal data where: 

  • There is no good reason for us continuing to use it

  • You have successfully exercised your right to object to us using it or you have withdrawn your consent

  • We may have processed your information ‘unlawfully'

  • We are required to erase your personal data to comply with English law. 

You can object to our processing of your personal data if: 

  • We are relying on legitimate interests and you feel it impacts on your fundamental rights and freedoms. We may be able to demonstrate compelling overriding legitimate grounds for the processing

  • We are processing for direct marketing purposes. 

You can ask us to suspend processing of your personal data if: 

  • You want us to establish the data’s accuracy

  • Our use of your personal data is unlawful, but you do not want us to erase it

  • You need us to hold the data to establish, exercise or defend legal claims, even if we no longer require it

  • You have objected to our use of your data, but we need to verify whether we have overriding legitimate interests to use it. 

You can request that we provide you or your chosen third-party with your personal data in a structured, commonly used, machine-readable format (an excel spreadsheet for example). This right only applies to electronic/digital information that you have provided to us either with your consent or where we use the information to perform a contract with you. 

At any time, you can complain to either us or the ICO about any concerns you have over how your data is being handled.  

  • To register a complaint with us please email

  • To register a complaint with the ICO please visit their website at or address a letter to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or call their helpline on 0303 123 1113. 

How you can find out more information

If you have any questions or queries about how we handle your personal data at The London Clinic, please get in touch at   

Last updated

Version 2.0. This notice was last updated in February 2022.