NHS Royal Devon logo

If you need healthcare, please choose the right service for your needs. Emergency departments are for emergency conditions only such as severe bleeding, breathing difficulties, stroke symptoms, chest pain, or for babies and toddlers under the age of two. Get the care you need.

About us

Private Patient Privacy Notice

This privacy notice explains how Royal Devon University Healthcare NHS Foundation Trust (“the Trust”) uses and protects personal information relating to individuals who receive private healthcare services through Royal Devon Private Healthcare.

Royal Devon Private Healthcare provides private (self‑funded or insured) patient services that are delivered by NHS clinicians, within NHS facilities, and under NHS clinical governance arrangements. Although the funding for these services is private, the Trust remains an NHS organisation and applies the same standards of confidentiality, clinical safety, and information governance to private patient information as it does to NHS patient information.

This notice provides additional, specific information for private patients and should be read together with the Trust’s main Patient Privacy Notice, which explains how the Trust processes patient information across its NHS (non‑private) services:

https://www.royaldevon.nhs.uk/about-us/information-governance/fair-collection-privacy-notice/patient-privacy-notice/

Where your personal data is processed in the same way as for NHS patients, the Trust’s main Patient Privacy Notice applies. This Private Patient Services Privacy Notice explains what is additional or different for private healthcare, particularly in relation to billing, insurance, and administrative processing.

Who we are

Royal Devon University Healthcare NHS Foundation Trust is the data controller for the personal data processed in connection with private patient services.

Trust address:
Royal Devon University Healthcare NHS Foundation Trust
Barrack Road
Exeter
EX2 5DW

The Trust is registered with the Information Commissioner’s Office (ICO) and processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

Data Protection Officer (DPO):
Email: rduh.dpo@nhs.net 

The Data Protection Officer oversees compliance with data protection legislation and can be contacted if you have questions or concerns about how your information is used.

How we collect and hold your information

We collect personal information directly from you when you make enquiries, attend appointments, or receive treatment through Royal Devon Private Healthcare. Information may also be received from referring clinicians, other healthcare providers, and, where applicable, private medical insurers.

Your information is held securely in both electronic and paper formats. Private patient records are often stored within the same clinical systems used for NHS care; however, access is strictly controlled and limited to staff who need the information to carry out their role. All staff are subject to professional duties of confidentiality and regular information governance training.

What information we process about private patients

The Trust processes personal data that is necessary to provide safe healthcare and to manage the administrative and financial aspects of private treatment.

This includes personal and contact details such as:

  • Name
  • Address
  • Telephone number
  • Email address
  • Date of birth
  • Hospital number
  • NHS number

We also process health and care information, including:

  • Referrals
  • Clinical correspondence
  • Medical history
  • Diagnoses
  • Investigation results
  • Treatment plans
  • Operative notes
  • Records created during and after your private treatment.

In addition, because your care is privately funded, we process financial and administrative information this may include:

  • Cost estimates
  • Invoices
  • Payment records
  • Correspondence relating to payment

Where your treatment is covered by private medical insurance, this may include insurer details, policy numbers, and authorisation information required to confirm funding and payment.

How we use your information

Your information is used primarily to provide safe, effective, and high‑quality private healthcare. This includes arranging appointments, delivering investigations and treatments, maintaining accurate clinical records, and supporting continuity of care.

We also use your information to manage the administrative and financial arrangements associated with private healthcare. This includes billing, processing payments, liaising with private medical insurers where relevant, and maintaining appropriate financial records.

The Trust also has legal, regulatory, and governance obligations that require the use of patient information. These include meeting statutory healthcare duties, responding to complaints or legal claims, undertaking audits, supporting service improvement, and ensuring compliance with financial and healthcare regulations.

The Trust does not use patient health information for direct marketing purposes, and personal data is not sold to third parties.

Lawful basis for processing

The Trust processes personal data in accordance with UK GDPR and UK Data Protection legislation.

For personal data, the Trust relies on the following lawful bases. These lawful bases allow the Trust to provide healthcare while ensuring personal data is handled lawfully, fairly, and transparently:

Purpose / Reason for processing

Legal basis under UK GDPR (Article 6)

Additional legal basis for special category (health) data – Article 9

Receiving and responding to enquiries

Article 6(1)(b) – contract (processing is necessary to take steps at your request before entering into a contract)

Article 9(2)(h) – medical diagnosis and the provision of healthcare

Providing private healthcare services

Article 6(1)(b) – contract (processing is necessary to deliver private healthcare services)

Article 9(2)(h) – medical diagnosis, provision of healthcare or treatment and management of

Protecting your life and health in an emergency

Article 6(1)(d) – Vital Interests (duties relating to patient safety and care)

Article 9(2)(c) – vital interests where the individual is physically or legally incapable of giving consent

Managing billing, invoicing, receiving payment and recovering outstanding fees, including liaison with private medical insurers

Article 6(1)(b) – contract (payment for private healthcare services) and/or Article 6(1)(f) – legitimate interests (managing and protecting the Trust’s financial interests)

Article 9(2)(f) – establishment, exercise or defence of legal claims

Administration and operational management of private healthcare services

Article 6(1)(c) – legal obligation and/or Article 6(1)(f) – legitimate interests (safe, compliant and effective service delivery)

Article 9(2)(h) – management of health systems and services and Article 9(2)(f) – legal claims

Communicating with you about your care, treatment or diagnostics.

Article 6(1)(b) – contract and/or Article 6(1)(f) – legitimate interests (effective communication and coordination of care)

Article 9(2)(h) – provision of healthcare

Managing and investigating complaints, incidents, claims and legal proceedings, including defending or exercising your rights

Article 6(1)(c) – legal obligation and/or Article 6(1)(f) – legitimate interests

Article 9(2)(f) – establishment, exercise or defence of legal claims

Safeguarding adults or children, including preventing abuse, neglect or serious harm

Article 6(1)(c) – legal obligation

Article 9(2)(g) – reasons of substantial public interest (safeguarding)

Preventing, detecting and investigating fraud or financial crime, including sharing information with law enforcement

Article 6(1)(c) – legal obligation (preventing fraud and protecting services and funds)

Article 9(2)(g) – substantial public interest (preventing fraud)

Collecting patient feedback and conducting satisfaction or experience surveys to improve private healthcare

Article 6(1)(f) – legitimate interests (service evaluation and improvement)

Article 9(2)(h) – where feedback relates to healthcare

Conducting clinical research, where

Article 6(1)(a) – consent

Article 9(2)(j) – scientific research purposes and/or Article 9(2)(a) explicit consent

Sending marketing communications about private healthcare services, where you have opted to receive them

Article 6(1)(a) – consent

Not normally applicable

Comply with our legal and regulatory requirements such as disclosing information to private information networks e.g. PHIN (Private Healthcare Information network).

Article 6(1)(c) – legal obligation

Article 9(2)(g)  - substantial public interest and/or Article 9(2)(h) management of healthcare services 

Who we share your information with

Your information is shared only where this is necessary, lawful, and proportionate.

This may include sharing information with NHS clinicians and staff involved in your care, whether delivered as private or NHS care. Where appropriate, information may also be shared with other NHS organisations or external healthcare providers involved in your treatment.

For private healthcare services, relevant information may be shared with private medical insurers for the purposes of treatment authorisation, invoicing, and payment. Information may also be shared with Trust finance teams and with carefully selected third‑party organisations that provide services on the Trust’s behalf, such as billing or system support services. All such organisations are required to handle personal data securely and in accordance with data protection law.

Private care alongside NHS care

Some patients receiving private treatment from the Trust also receive NHS care. Where applicable, clinical information may be held within shared Trust systems to ensure that clinicians have access to accurate and up‑to‑date information necessary for safe care.

Access to patient records is controlled through role‑based access controls, audit logging, and confidentiality agreements. Receiving private healthcare does not reduce your rights or alter how the Trust protects your information.

How long we keep your information

Private patient records are retained in line with the NHS Records Management Code of Practice and other applicable legal and financial retention requirements. In most cases, retention periods for private care records mirror those that apply to NHS patient records unless a longer period is required by law.

Once information is no longer required, it is securely destroyed or permanently deleted.

Your rights

You have rights under UK data protection legislation, including the right to access your personal data, to request correction of inaccurate information, to request restriction of processing in certain circumstances, and to object to some types of processing.

Where we rely on contract as a lawful basis you as the data subject also have the right to data portability.

Full details of your rights, how to make a request, and how to raise concerns are set out in the Trust’s main Patient Privacy Notice, available here:

https://www.royaldevon.nhs.uk/about-us/information-governance/fair-collection-privacy-notice/patient-privacy-notice/

You also have the right to raise a complaint with the Information Commissioner’s Office (ICO).

If you have concerns, please contact us first.

Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Telephone: 0303 123 1113
Website: https://ico.org.uk

Contact details

If you have questions about how your information is used in relation to private healthcare services, please contact:

Private Patient Office
Email: rduh.privatepatients@nhs.net 

For data protection queries or to exercise your rights, contact:

Data Protection Officer
Email: rduh.dpo@nhs.net