Enquiries:
020 7806 4000 Appointments:
020 7806 4060
Book now
Enquiries 020 7806 4000 Appointments 020 7806 4060
Book now

Privacy Policy

The Hospital of St John and St Elizabeth (“HJE“, “we“, “us“, or “our“) is registered in England and Wales under Company Number 02808390. Our registered office is located at 60 Grove End Road, London, NW8 9NH. We are an independent provider of private healthcare and in order to provide healthcare services, we need to collect and process certain information about you (“personal data”).

This Privacy Notice applies to individuals who provide us with personal data or from whom we receive personal data, in connection with receiving or seeking healthcare services (“patients”, “visitors” or “data subjects”). This includes personal data collected during your visits to our premises, use of our website, inquiries, or receipt of healthcare services. It outlines how we collect, use, and protect your personal data.

As a “Data Controller” under the UK General Data Protection Regulation, HJE is responsible for the collection, storage, and handling of your personal data. This means we determine how and why your data is processed. We are committed to managing your personal data securely and appropriately, ensuring compliance with the principles of “data protection by design and by default.”

What personal data do we collect and process from our Patients and Visitors.

  • Your name, address, and contact details
  • Your date of birth, gender and marital status
  • Financial information, such as credit or debit card details used for payments
  • Your occupation
  • Emergency contact details, including next of kin
  • Background referral details
  • Images received and/or captured by our closed-circuit television (“CCTV”) systems

We may also collect data that falls under the ‘Special Category Data’ as relevant to the provision of healthcare services to you. This includes:

  • Health related data including current and historical records of your physical and mental health
  • Full details of care you have received at HJE and all the related notes and images
  • Data revealing your nationality, race, ethnicity, religious or philosophical beliefs
  • Genetic and biometric data
  • Data concerning your sex life and sexual orientation

In addition, if you change personal data which we already hold about you (for instance by changing a pre-populated form) then we will update our systems to reflect the changes, but our systems will also continue to hold the originally recorded personal data.

Why we process your personal data

We process your personal data for several purposes, and in each case, we must have a valid legal basis for doing so. When processing special category data such as health-related information (see section on Special categories of personal data above) we must have an additional specific legal basis.
Legal Bases

  1. Consent: We process your data because you have provided consent (regardless of form) for a specific purpose.
  2. Contract: We process your data as necessary to fulfil a contract you are a party to or to take steps before entering into a contract with you.
  3. Legal Obligation: We process your data as required to comply with a legal obligation.
  4. Vital Interest: We process your data to protect your vital interests or the vital interests of another person.
  5. Overriding Legitimate Interest: We process your data because we or a third party have a legitimate interest in doing so, provided that this interest is not overridden by your rights and freedoms. This applies especially when processing data of minors.

Our Purposes

1. Patient Registration

We need your information to register you as our patient.

Legal Bases

  • Contract: To take the necessary steps for you to enter into a contract with us for the provision of care
  • Legitimate Interest: to deliver our services to you

2. Provision of healthcare services

We collect and process your personal data to carry out diagnostic tests (e.g., blood tests, imaging, or other lab work) as part of your medical assessment and treatment. As the primary purpose of your visit is to receive care, your data is crucial for ensuring that we provide accurate diagnoses and effective treatments. The information you provide allows us to assess your health condition, determine the appropriate course of action, and monitor your progress throughout treatment. By using your personal data, we can make informed decisions, tailor your care to your specific needs, and ensure that diagnostic tests are conducted in compliance with healthcare standards and regulations. This data is vital not only for the immediate care you receive but also for maintaining the quality and safety of the healthcare services we offer.

Legal Bases

  • Contract: Processing is necessary to provide medical services as part of a contractual relationship
  • Consent: Processing may rely on the patient’s explicit and implicit consent to carry out specific tests.

Additional Legal Basis for Special Category Data

  • Vital Interest: to protect your vital interests where you are physically or legally incapable of giving consent, for example in an emergency if you are incapacitated.
  • Health and social care: to provide your care.

3. Billing and Payment

We require your personal data to process payments, manage billing, and handle insurance claims for the medical services provided. This includes verifying your payment details, submitting claims to insurers, and ensuring accurate invoicing for the services you receive.

Legal Bases

  • Contract: Necessary for the performance of the contract with the patient for the provision of services.
  • Legal Obligation: To comply with tax and financial reporting requirements.

Additional Legal Bases for Special Category Data

  • Health or social care: to provide your care; and
  • Legal claims: establish, exercise or defend our legal claims (if applicable).

4. Clinical Audits

We may carry out internal clinical audits by reviewing health records, including your medical information, to assess the quality of care provided, ensure compliance with clinical standards, and identify areas for improvement. These audits may be required by law or conducted voluntarily to maintain high standards of patient care.

We may also be required to share relevant data with healthcare regulators such as the Care Quality Commission (CQC), NHS Digital, Public Health England (PHE), and professional regulators (e.g., General Medical Council, Nursing and Midwifery Council) in connection with statutory audits or inspections.

Legal Bases

  • Legal Obligation: To comply with our legal and regulatory obligations.
  • Legitimate Interests: To support our ongoing commitment to improving care quality, with appropriate safeguards in place to protect your privacy.

Additional Legal Bases for Special Category Data

  • Substantial Public Interest: For ensuring high standards of care and public health.
  • Health or Social Care: For the management and improvement of health and care services.

5. Disclosure to the Private Healthcare Information Network

We are required under the Competition and Markets Authority’s Private Healthcare Market Investigation Order 2014 to share specific information about your care with the Private Healthcare Information Network (PHIN). This includes details such as your NHS number, postcode, procedure type, length of hospital stay, any complications, recovery outcomes, and feedback you provide through Patient Reported Outcome Measures (PROMs).

PHIN is an independent, government-approved body responsible for collecting and publishing data on the quality and outcomes of private healthcare in the UK. Its role is to improve transparency and help patients make more informed choices about their care.

You can find PHIN’s Privacy Notice at: www.phin.org.uk.

Legal Bases

  • Legal Obligation: To comply with statutory reporting requirements under the CMA Order.
  • Legitimate Interests: To contribute to national efforts to monitor and improve the quality and transparency of private healthcare, where this does not override your rights.

Additional Legal Bases for Special Category Data

  • Substantial Public Interest: For public interest purposes in promoting healthcare transparency and accountability.
  • Health or Social Care: For the management and improvement of healthcare systems and services.

6. Addressing and Resolving Queries or Complaints

We take your feedback, concerns, and complaints seriously to ensure the highest level of service and patient care. If you have any queries, complaints, or issues related to your care or experience with us, we may need to use your personal data to fully address and resolve the matter. This could include investigating the situation, identifying any areas for improvement, or offering resolutions. We may contact you to gather additional details, provide updates, or offer explanations regarding the outcome of our investigations into your concerns. In some cases, we may need to share relevant details within our organisation or with healthcare professionals to resolve the issue effectively.

Legal Bases

  • Contract: to provide your care and other related services; and
  • Legitimate interests: for our legitimate business interest to ensure our patients’ queries and complaints are answered, which does not overly prejudice you.

Additional Legal Bases for Special Category Data

  • Health or social care: to provide your care; and
  • Legal claims: to establish, exercise or defend legal claims.

7. Liaising with Third Parties involved in your care

To ensure safe, effective, and coordinated care, we may need to share relevant personal data with other healthcare professionals involved in your treatment. This may include your GP, referring consultants, diagnostic providers, specialists, or allied health professionals (e.g. physiotherapists or dietitians). Sharing your information allows those involved in your care to make informed clinical decisions, avoid duplication of treatment, and improve your overall healthcare experience.

In addition, if you have named an emergency contact or someone else you would like us to update about your condition (such as a family member or carer), we may share limited relevant information with them—particularly in urgent or emergency situations.

Legal Bases

  • Contract: To provide your care and any related healthcare services you have requested or consented to.
  • Legitimate Interests: To ensure continuity of care and appropriate clinical communication, where this does not override your rights and freedoms.

Additional Legal Bases for Special Category Data

  • Health or Social Care: For the provision or management of health or social care services.
  • Substantial Public Interest: Where sharing is necessary to safeguard your wellbeing or support the wider healthcare system.
  • Legal Claims: To establish, exercise, or defend legal claims, if required.

8. Training and Service Improvements

We are committed to providing high-quality care and continuously improving our services. As part of this commitment, we may use your personal data to evaluate and enhance the quality of our care, staff training, and overall service delivery. This includes activities such as reviewing recorded phone calls to assess the quality of our communication and identifying areas where we can improve patient safety, service quality, and staff performance.

Legal Basis

  • Legitimate Interests: For our legitimate business interest in improving the quality of care, enhancing training, and ensuring security, as long as this does not outweigh your rights and freedoms.

Additional Legal Basis for Special Category Data

  • Health or Social Care: To manage and improve the healthcare services we provide, including using survey responses to identify areas for necessary improvements..

9. Business Operation

We need to use personal data for various aspects of managing our business operations, such reviewing CCTV images for security purposes, retaining necessary accounting and operational records, and conducting internal audits to maintain the efficiency and compliance of our business practices.

Legal Bases

  • Legal Obligation: To comply with our legal or regulatory requirements, including maintaining patient records and financial records as per law.
  • Legitimate Interests: For our legitimate business interest in managing our operations, conducting audits, and ensuring compliance with legal obligations, provided this does not unduly prejudice your rights.

10. Introduction of Other Services/Marketing

As part of our business operations, we may use your personal data to inform you about other products and services that could be of interest to you. However, we will only send such marketing communications if you have explicitly given us your consent.

Additionally, we may share limited personal data with trusted market research agencies to gather feedback from you, which helps us improve and develop our products and services.

If you no longer wish to receive marketing communications from us, you can unsubscribe using the link in any email we send. Alternatively, you can contact our Data Protection Officer (DPO) using the contact details provided at the bottom of this page to update your marketing preferences.

Legal Basis

  • Legitimate Interests: We process personal data based on our legitimate business interests in conducting operations, including marketing, while ensuring that your rights are not unduly affected.

How do we collect your personal data?

Directly from you:

We receive and collect your personal data directly from you when:

  • You complete an enquiry form, either online via our website or onsite at our premises.
  • You book appointments, register for services, or schedule consultations online or in person.
  • You have remote consultations with a healthcare professional or our call handlers, including virtual consultations, telephone calls, or any other communication.
  • You send us a question or request via our website, email, social media, post, or any other means of communication, including any data shared when you contact us.
  • You correspond with us via letter, email, or social media.
  • You take part in marketing activities, promotions, or surveys.
  • You attend our premises, where CCTV systems are installed, and you may be recorded.
  • You sign in at reception or provide personal details when visiting our premises.
  • You complete patient or visitor questionnaires, health assessments, or feedback forms, either in person or online.
  • You make payments for services, providing financial or billing information.
  • You engage with our email marketing campaigns or newsletters (e.g., clicking links, signing up, or subscribing).

Analytics and website technologies

We use cookies and similar technologies to improve your experience on our website. These help us understand how our site is used, measure performance, and tailor content and advertising. Some cookies are essential; others are used for analytics and marketing purposes. You can manage your preferences at any time through your browser settings or our cookie consent tool.

View our cookie policy

From other healthcare providers

To provide you with the best possible care, we may need to collect personal data from other organisations where you receive healthcare services, in addition to HJE. This may include medical records from:

  • your GP
  • your healthcare professional (including their medical secretaries)
  • your dentist
  • the NHS or any private healthcare organisation
  • mental health providers

NHS Summary Care Record (SCR)

Your NHS Summary Care Record (SCR) is an electronic record containing key patient information, such as details about your medication, allergies, any adverse reactions to medicines, and, where available, both past and present medical history. This record is created from your GP medical record. Authorized staff in other areas of the health and care system involved in your direct care can access and use this information.

Before your appointment with us, your NHS Summary Care Record will be accessible to the hospital staff involved in your care, unless you have previously opted out of having an SCR. Accessing your SCR enhances patient safety, allowing us to make the most informed clinical decisions for your care. For more information about your SCR, please visit NHS Summary Care Records.

If you prefer that our staff do not access your SCR, or if you have any questions, please contact us.

From other third parties

We may also collect personal data about you from other third parties as follows:

  • from third-party referrals, such as healthcare providers or insurers.
  • solicitors or other third parties acting on your behalf in connection with medico-legal or other legal proceedings
  • your family
  • your insurance policy provider
  • experts (including medical experts) and other service providers about your care
  • NHS health service bodies about your care
  • credit reference agencies
  • debt collection agencies
  • government agencies
  • commissioners of healthcare services

If you (or the relevant other healthcare providers and other third parties outlined above) do not provide us with the personal data that we ask for, we may be unable to provide your care.

How will we communicate with you?

We may communicate with you through telephone, SMS, email, and/or post. If we contact you by phone and the call goes to voicemail or an answering service, we may leave a message.

Specifically:

  • To keep you informed and remind you about your care, we may send SMS messages or emails.
  • For your medical information (such as test results and clinical updates) or billing details, we may use encrypted email for secure communication.
  • When we send you any important encrypted email for the first time (e.g., one that we’re not also sending by post or that requires an action on your part), we will make an effort to reach you separately to ensure you can access it.
  • If we have your mobile number or email address, we may ask you to complete patient surveys. These surveys help us improve our services and monitor outcomes, but they are not intended for marketing purposes.

Patient surveys, audits and initiatives

We may contact you to ask you to participate in patient surveys regarding your care. We will usually send these surveys to you by email or SMS message. These surveys are not a form of marketing and they do not try to sell you any further products or services. They are solely to get your feedback on your experience, to improve the quality and safety of the healthcare services we offer to future patients. It is entirely up to you whether you participate in the surveys and you can unsubscribe from receiving further survey requests. We use the responses you provide to make improvements to our services. You may also opt in to receiving a call back to discuss your responses.

In addition, we may also contact you to invite you to participate in on-line surveys regarding the clinical outcomes of your care called Patient Reported Outcome Measures (“PROMs”). Again, these are not a form of marketing. If you are a private patient your PROMs results are shared with PHIN (see the next section), and if you are an NHS patient your PROMs results are shared with NHS England. We may send you an initial invitation asking you to participate before you receive your care, by post, SMS, email or in person when you attend the hospital for your care. If you choose to complete a PROMs survey you will also receive subsequent surveys after your care to help establish the benefit you have gained from treatment.

Who do we share your personal data with?

We share your personal data with various internal departments involved in your healthcare, as well as third parties, in compliance with applicable data protection laws.

Third Parties:

As stated in our Patient Terms and Conditions, consultants involved in your care are independent practitioners and are considered third parties for the purpose of this privacy notice. They have separate data protection obligations, and we are not responsible or liable for them.

In addition, below is a list of third parties with whom we may share your information:

  • Non-clinical staff involved in your care, including medical secretaries, receptionists, and porters
  • Any individuals you designate as an emergency contact, such as your next of kin or carer
  • NHS organisations
  • Other private healthcare providers
  • Your GP or any other private healthcare provider you use
  • Your dentist
  • Your healthcare professional (including their medical secretaries)
  • Third parties assisting in the administration of your care, or responsible for paying for the cost of your care, such as insurance companies
  • Third parties acting on your behalf in legal proceedings (including potential claims)
  • The Private Healthcare Information Network (PHIN)
  • National and professional research/audit programmes and registries
  • Government bodies,
  • Our regulators, such as the Care Quality Commission and Charity Commission
  • The police and other third parties for the prevention or detection of crime
  • Our insurers
  • Debt collection agencies
  • Credit referencing agencies
  • Third-party service providers, such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document management providers, and tax advisers

How do we protect your personal data?

We are dedicated to safeguarding your personal data and have implemented appropriate security measures—physical, technical, and organisational—to prevent accidental loss, unauthorized access, use, alteration, or disclosure.

We comply with UK data protection laws, including the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR), as well as relevant medical confidentiality standards set by professional bodies, such as the General Medical Council and the Nursing and Midwifery Council.

Furthermore, access to your personal data is restricted to employees, agents, contractors, and third parties who need it for legitimate business purposes. They are required to use your data only as instructed and are bound by confidentiality obligations.

How long do we keep your data for?

Our data retention practices follow the NHS Records Management Code of Practice, which sets out the minimum time periods for keeping different types of health records. We will retain your personal data only for as long as is reasonably necessary to fulfil the purposes outlined in this Privacy Notice.

International transfers of your personal data

If ever we (or third parties acting on our behalf) need to transfer your personal data outside the UK, we take steps to ensure it remains protected. We will only transfer your personal data outside of the UK for the purposes outlined in this Privacy Notice.

Healthcare professionals, their medical secretaries, and/or other third parties involved in your care may use IT services (such as email providers, cloud storage, practice management software, and clinical devices) that rely on or are backed up by servers outside the UK. If these services are used, your personal data may be transferred outside of the UK. It is the responsibility of the healthcare professional to ensure that your personal data is transferred securely and in compliance with the law. This is not the responsibility of HJE.

Your Rights

Under data protection law, you have certain rights in relation to your personal data. You can request to exercise these rights at any time by contacting our Data Protection Officer (DPO), whose contact details are provided at the end of this page, or if your request is limited to accessing your medical records, you can make the request directly by contacting our medical records department [insert link]. Similarly, for imaging results, you can made the request directly by contacting our imagining department [insert link].Please note that these rights may not apply in every situation, and if we are unable to fulfil your request, we will explain the reasons why.

Your data protection rights are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply, by visiting the ICO’s website.

  • Your right to be informed
    You have a right to be informed about the collection of your personal data and how it is used. This privacy notice addresses this requirement by telling you what we collect, why, who we share it with and for how long we hold it.
  • Your right of access
    You have the right to access the data we hold about you. This is known as a Data Subject Access Request (DSAR) or a Subject Access Request (SAR). You can make a request either verbally or in writing, and we are required to respond within one month. For more information or to submit a request for your health records, please refer to the Patient Information page. For other SAR requests unrelated to health or medical records, please email data.protectionofficer@hje.org.uk
  • Your right to rectification
    You are entitled to request that the data hold on you is amended if it is inaccurate or incomplete. You can make a request, either verbally or in writing, and we have one month to respond. In certain circumstances this can be refused.
  • Your right to erasure
    You are entitled to request that the personal data we hold about you be considered for deletion. You can make a request, either verbally or in writing, and we have one month to respond. This right is not absolute and we need to consider it against our own obligations before agreeing to delete your information.
  • Your right to restrict processing
    You are entitled to request the restriction or suppression of your personal data. You can make a request, either verbally or in writing, and we have one month to supply it to you. This right is not absolute and we need to consider it against our obligations under data protection law.
  • Your right to data portability
    You are entitled to request to move, copy or transfer personal data that you have supplied to us. You can make a request, either verbally or in writing, and we have one month to supply it to you. This right is not absolute and we need to consider it against our obligations under data protection law.
  • Your right to object
    You are entitled to object to the processing of your personal data. For us this is normally related to the sending of marketing material to you. You can notify us using data.protectionofficer@hje.org.uk and we will carry out your request. For other purposes your right is not absolute and would have to be considered against our obligations under data protection law.

In addition to these statutory rights you also have the right to:

  • Withdraw consent
    If you have provided us with consent use your personal data you are entitled to withdraw that consent.
  • Complain to the Information Commissioners Office
    If you are not satisfied with the way we have handled your personal data you can raise the issue with the Information Commissioners Office (ICO).

National data opt-out programme

The national data opt-out is an NHS Digital service which enables patients receiving NHS funded care to opt-out from the use of their data for anything other than their individual care or treatment, for example research or planning purposes. All healthcare providers (including HJE) are required to be compliant with the national data opt-out programme.

You can view or change your national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters or by calling 0300 303 5678. Further information on the national data opt-out programme can be found at https://digital.nhs.uk/services/national-data-opt-out-programme.

External websites

Our websites may contain links to other organisations’ websites. If you choose to visit these sites, please be aware that they should have their own privacy policies, and we are not responsible for them. We recommend reviewing their policies and notices before submitting any personal data.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us [set out how, here]. If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

How to contact us

We have a Data Protection Officer, responsible for ensuring your personal data is kept safe and secure. The Data Protection Officer may be contacted at:

c/o Corporate office,

St John & St Elizabeth Hospital

60 Grove End Road, London

NW8 9NH

Email: data.protectionofficer@hje.org.uk

Updates to this Privacy Notice

We may update this Privacy Notice from time to time to ensure that it remains accurate.

Page last reviewed: 21 October 2025