This Privacy Notice sets out what personal information we may collect from you and how that information may be used.

In particular, this Privacy Notice:

  • explains how we will manage your personal information, from the time we collect it and onwards;
  • explains how we use your personal information and who we share it with;
  • how we will comply with any relevant laws; and
  • explains your rights in relation to your personal data, and how you can exercise them.

This Privacy Notice does not cover any links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our websites, we encourage you to read the privacy policy of any website you visit.

We have a separate Privacy Notice written with children in mind. If you are under 13 and wish to ask a question or use our website in a way that requires you to submit any personal information, please ask your parents or guardian to do it on your behalf.

This Privacy Notice is provided in a layered format so you can click through to the specific areas set out below. Alternatively you can download this policy here.  

About us

What personal information do we collect from you and how do we use it?

Who do we share your personal information with?

What marketing activities do we carry out?

Your rights

International data transfers

How to contact us

About us

HCA Healthcare UK (HCA) is an independent provider of private healthcare, offering treatment to private patients and NHS patients. In order to provide healthcare services and receive payment for those services, HCA need to collect and process certain information about you ("personal data").  HCA is a 'data controller' for the information that it collects and processes about you, and you are the 'data subject'.  Our Data Protection Officer can be contacted at 2 Cavendish Square, London W1G 0PU or at

HCA is committed to protecting and respecting your personal information. This Privacy Notice explains what personal information we may collect from you and how that information may be used. Please take your time to read this Privacy Notice carefully.

HCA Healthcare companies and facilities in the UK:

The Harley Street Clinic
The Lister Hospital
London Bridge Hospital
The Portland Hospital
The Princess Grace Hospital
The Wellington Hospital
The Harborne Hospital
University College Hospital Private Care, The Wilmslow Hospital and The Christie Private Care

We may share data between these companies and facilities where it is appropriate to facilitate the provision of your care. 

What personal information do we collect from you and how do we use it?

We will use your personal data for the reasons set out below.  The personal data we collect and use may include:
  • your name, address and contact details, including email address and home and mobile telephone numbers.If you provide these details, we may use them to contact you unless you ask us not to.This could include emails, text or voicemail messages;
  • date of birth and gender;
Contractual and Financial Information
  • the terms and conditions of your contract with us for the provision of healthcare and related services;
  • your bank account and national insurance number) if you are a ‘self-pay ’patient or the financial information of the company or individual who is responsible for the payment of invoices/bills
  • relating to your care (e.g. insurer, sponsor, guarantor or employer);
  • we will take a swipe of your debit or credit card.  We will let you know if we intend to take a payment from this card before we do so;
  • information about your marital status, next of kin, dependants nominated and/or emergency contacts;
  • information about your nationality and entitlement to treatment in the UK; and
  • equal opportunity monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief, genetic data.

Health related Data

  • your previous and current medical health records whether provided by HCA UK or other third parties; 
  • information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments; 
  • information about medical or health conditions of your family; 

Performance Improvement

  • Information about how you use our website.
  • Information received in response to any surveys, complaints claims CCTV

The data we collect may also include visual images, personal appearance and behaviour e.g. where CCTV is used as part of our building security measures.

Other HCA Privacy Notices

If you are employed or may be employed by HCA UK we will also hold and process other information relating to your recruitment and employment You can also obtain a copy of the Staff Privacy Notice from the HCA HR team.  

If you are a Consultant/ Doctor or other healthcare provider you are not employed by HCA UK but we will also hold and process other information relating to you and the clinical services you carry out. (See the Privacy Notice for Consultants and Doctors.) or you can obtain further information from the Facility CEOs or your clinical contact.). 

How HCA collect this information

HCA UK may collect this information in a variety of ways. We will collect most of this information directly during the registration and/or admission process but we may also obtain data from your passport or other identity documents such as your driving licence; from pre-admission forms, online web forms; from correspondence with you; through interviews and surveys, meetings or other assessments.

We will collect data if you have a remote consultation with a healthcare professional either virtually or by telephone.

We will collect data if you make a clinical enquiry, ask us to find a Consultant or ask us to obtain a second opinion for you. If we ask you to provide copies of your medical records we will retain these for 6 months unless we go on to provide clinical care for you in which case your records will be held in accordance with our normal retention policy.

In some cases, HCA may collect personal data about you from third parties, such as your GP, the NHS, mental health providers, insurance providers, referral agencies, sponsors, credit and other checks permitted by law.

Where information is obtained from a third party not involved in your care or employment we will let you know.

We will tell you if providing some personal data is optional, including if we need to ask for your consent to process it. In all other cases, we need you to provide your personal data so we can provide care and treatment to you and receive payment for these services. 

How do we use your data?

We use your personal data to support the provision of your healthcare in the following ways:

  • To decide how best to provide treatment to you; 
  • As necessary to support the healthcare contract with you and to allow us to receive full payment for those services;
  • To take steps at your request during the course of your treatment;
  • To keep your records up to date

We use your data for the following purposes, to maintain the high standards of service that we provide to you:

  • For good governance, accounting, and managing and auditing our clinical and business operations both internally and by third parties;
  • For surveys of patient experience and quality of care;
  • To monitor emails, calls, other communications, and activities on HCA networks and systems;
  • For market research, other surveys and analysis and developing statistics for improving clinical performance; and

We may process your data to ensure the security of our systems and to prevent crime and ensure compliance with all laws and regulations that are applicable to our services:

We may monitor and record telephone calls, emails, text messages, social media messages and other communications in relation to our dealings with you.  We will do this to ensure an appropriate standard of care, for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications networks and systems, to check for unlawful content, obscene or profane content, for quality control and staff training, and when we need to see a record of what has been said. We may also monitor activities on our network and systems where necessary for these reasons and this is for our legitimate interests or other legal obligations.

We use your data to ensure we can comply with our legal obligations:

  • When you exercise your rights under data protection law and make requests;
  • For compliance with legal and regulatory requirements and related disclosures;
  • For establishment and defence of legal rights;
  • For activities relating to the prevention, detection and investigation of crime;
  • To verify your identity, credit fraud prevention and anti-money laundering checks; and
  • To investigate complaints, legal claims and data protection or clinical incidents.

Based on your consent we may also share your data:

  • With your next of kin or other nominated contact;
  • If you ask us to disclose your personal data to other people or organisations such as a company handling a claim on your
    behalf; or otherwise agree to disclosures;
  • When we process any special categories of personal data about you at your request (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation).

You are free at any time to change your mind and withdraw your consent, where we have only relied on your consent, to share your data. We will advise you if the consequence of doing so is that we cannot continue to provide full healthcare services to you.

Who do we share your personal information with?

We may share your personal data with:

Healthcare Providers or those who help us provide care to you

  • Consultants/Doctors and other healthcare professionals who provide treatment to you at our Facilities;
  • Other healthcare providers including your General Practitioner (GP) where we believe this will enhance the quality of your care. Let us know if you do not wish us to share information with your GP;
  • The HCA group of companies and associated companies including entities in the United States;
  • Sub-contractors and other persons who help us to provide healthcare products and services to you;
  • Companies and other persons including interpreters providing services to you as part of your extended care and post care follow-up;
  • Advisors, Legal, Government and regulatory bodies

Our legal and other professional advisors, including our auditors;

  • Fraud prevention agencies, credit reference agencies, and debt collection agencies;
  • Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators including the Information Commissioner's Office and Care Quality Commission (CQC)
  • General Medical Council and other professional bodies;
    • Courts, to comply with legal requirements, and for the administration of justice;


In an emergency or to otherwise protect your vital interests;

  • Third parties who help us to protect the security or integrity of our business operations and other patients;
  • When we restructure or buy or sell our business or its assets or have a merger or re-organisation;
  • Payment systems and providers; and
  • Anyone else where we have your consent or as required by law.

Sharing of your personal data in order to receive payment for your treatment from your Insurer, sponsor or guarantor

We will contact the individual or company including your insurer and provide them with the information necessary to support our invoices for payment and to ensure that we receive full payment for your care. We may also contact them prior to your care to confirm that the treatment you are about to receive is covered by them and they are willing to pay for your care.  We will also provide information necessary to support any audits carried out by insurers and sponsors.

What marketing activities do we carry out?

Subject to obtaining your consent and in accordance with your communications preferences we may use your contact details to send you newsletters and other information on new Facilities, services and treatments which we think may be of interest to you. We will not sell your personal data to a third party without your written consent.

You are free at any time to change your mind and withdraw consent for marketing activities. Please contact  This will not affect the healthcare services we provide to you.

International transfers

Your personal data may be transferred outside the UK and the European Economic Area.  While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to it.  These include imposing contractual obligations of adequacy or requiring the recipient to subscribe or be certified with an 'international framework' of protection.

How long do we keep your data?

Information will be kept in accordance with the retention periods outlined in the Information Governance Alliance (IGA) Records Management Code of Practice for Health and Social Care (2016).

Information may be held for longer periods where the following apply: 

  • Retention in case of queries. We will retain your personal data as long as necessary to deal with any queries you may have;
  • Retention in case of claims. We will retain your personal data for as long as you might legally bring claims against us; and
  • Retention in accordance with legal and regulatory requirements. We will retain your personal data after you have received healthcare services at our Facilities based on our legal and regulatory requirements and obligations.

Your rights under applicable data protection law

Your rights, under the data protection laws, are as follows (noting that these rights do not apply in all circumstances):

  • The right to be informed about processing of your personal data;
  • The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;
  • The right to object to processing of your personal data;
  • The right to restrict processing of your personal data;
  • The right to have your personal data erased (the "right to be forgotten”);
  • The right to request access to your personal data and information about how we process it;
  • The right to move, copy or transfer your personal data ("data portability") ; and
  • Rights in relation to automated decision-making including profiling

You may exercise these rights by contacting us on

You have the right to complain to the Information Commissioner's Office (ICO). It has enforcement powers and can investigate compliance with data protection law. Contact the ICO on

How to contact us

You can pick up a copy of this Privacy Notice from Reception at our Facilities.

Further information can be provided from our Data Protection Officer on 

This Notice may be translated into other languages on request.

Last Updated: May 2021