Your personal data may be used By HCA to carry out audits of clinical outcomes and support performance and process improvements. Where-ever possible we will use anonymized data. Where data that identifies you is used this is restricted to specialist teams.


Sharing of your personal data to contribute to the review and publishing of information about the quality and cost of privately funded healthcare.

HCA Healthcare (HCA UK) is required to provide hospital performance data to the Private Healthcare Information Network (PHIN), which publishes information on the quality and cost of privately funded healthcare.  PHIN’s goal is to help patients make more informed choices about where to go for treatment.

The Private Healthcare Information Network (PHIN) is the independent, government-mandated source of information about private healthcare. PHIN operates with a legal mandate to work with all hospitals and consultants providing private healthcare across the whole of the UK. That mandate comes from the Competition and Markets Authority (CMA) and imposes a legal duty on hospitals and consultants to submit data to PHIN as the official Information Organisation (IO) for private healthcare.

The CMA’s Order is issued under the Enterprise Act 2002 and specifies 11 performance measures for PHIN to publish, by procedure, at both hospital and consultant level. These performance measures are also listed on PHIN’s website at Section 167(2) of the Enterprise Act provides that, “Any person to whom such an undertaking or order relates shall have a duty to comply with it”.

On this basis. PHIN’s lawful bases for processing private patient data is Article 6(1)(c) of the GDPR: as due to the obligations under the CMA Order the lawful basis for the processing of personal data is “necessary for compliance with a legal obligation”. The same lawful basis applies to providers who have obligations under the CMA Order to disclose patient data to PHIN

Publication will be made via the PHIN website in a format that will allow patients requiring hospital treatment and their doctors to search for local private hospitals by procedure and to compare how they perform in terms of quality and safety based on treatment data. Individuals are then able to make informed choices; which Consultant to see, which treatment option to follow, and at which hospital to be treated.  This information will not be in a form where individuals can be identified.

The PHIN Privacy Notice can be found at

Sharing NHS numbers

Your NHS number may be shared with PHIN as part of the process above.  An additional reason for obtaining the NHS Number relates to HCA UK’s intention to access the UK Child Protection Information Sharing (CP-IS) system in order to facilitate the sharing of information between health and local authorities where a child may be at risk of being neglected, maltreated or abused.

HCA UK ensures all the information it holds is kept safe and confidential.

National registries

The Confidentiality Advisory Group (CAG) advises the Health Research Authority (HRA) whether there is sufficient justification to process patient information without consent in England and Wales for the purposes of research, where it is in the public interest to process such patient information. Where data is shared without consent organisations must still comply with the principles of the data protection laws.

It is possible to opt out. If you wish to opt out please contact HCA directly on

CAG sets certain additional expectations in relation to safeguards e.g. transparency and the opportunity for patients to opt out which are a condition of the approval for research. HCA shares data with the following National Registries:

National Cancer Registries

Sharing of your personal data for scientific research purposes HCA will only share your personal data for research purposes if:

  • It is fully anonymised and you cannot be re-identified from the anonymised information
  • It is being shared for one of the purposes above
  • We have obtained your explicit written consent

Any data sharing will always be subject to applicable data protection laws.


Download policy