Close Button

Your Privacy and making a Subject Access Request (SAR)

A privacy notice is a statement of how Benenden Hospital Trust collects, uses, retains and discloses your personal information. Personal information is information that identifies you and is about you.

What is a Privacy Notice?

A privacy notice is a statement of how Benenden Hospital Trust collects, uses, retains and discloses your personal information. Personal information is information that identifies you and is about you.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we need your data,
  • How it will be used and,
  • Who it will be shared with,
  • What rights you have in relation to the personal data we collect from you.

The law determines how organisations can use personal information. The key laws are: the Data Protection Act, EU General Data Protection Regulation, the Human Rights Act, relevant health service legislation, and the common law duty of confidentiality.

Within these pages we describe instances where Benenden Hospital Trust is the “Data Controller” (the organisation who decides what data we collect and how it is used), and where we direct or commission the processing of patient data to help deliver better healthcare, or to assist the management of healthcare services.
Benenden Hospital Trust recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties.

This notice applies to Patients, Visitors, Staff Members, Clinicians, Consultants, Contractors, Vendors and Suppliers to Benenden Hospital. Benenden Health Society Members please note for clarification this notice applies to Benenden Hospital Trust and not The Benenden Healthcare Society Limited, who will issue a separate notice.

This privacy notice is effective from 2 November 2022

Link to Supplementary COVID-19 Privacy Notice

Your information

What information do we collect about you?

We only collect and use your personal information where at least one of the legal basis applies and for the lawful purposes of administering the business of Benenden Hospital Trust. The legal basis are as follows;

  • Under consent – where you have given your ‘consent’ to the processing of your personal data
  • Performance of a contract – where the processing of your data is necessary for the fulfilment of a contract, for example e-referrals of NHS patients is subject to a contract
  • Compliance with a legal obligation – processing of your data is required by law and the hospital is required to comply,
  • In the vital interest – we may process your personal data in order to protect your vital interests, for example in providing emergency treatment or care should it be required
  • Public interest – we may process personal data in order to complete a task carried out in the public interest
  • Legitimate interest – we may process your personal data as we hold a legitimate ‘business’ interest in processing that information.

The table below shows the purposes and the associated legal basis under which we process your personal data;

Purpose of processing

Legal basis for processing

Accounting and Auditing

In compliance with a legal obligation and legitimate interest

Accounts and Records

In compliance with a legal obligation and legitimate interest

Advertising and Public Relations

Under consent and legitimate interest

Consultancy and Advisory Services

In performance of a contract and legitimate interest

Crime Prevention and Prosecution of Offenders

In compliance with a legal obligation


Under a legitimate interest

Healthcare Administration and Services

In performance of a contract and legitimate interest

Information and Databank Administration

In performance of a contract and legitimate interest


Under consent and legitimate interest

Sharing and matching of personal information for national fraud initiative

In compliance with a legal obligation

Employment and Staff administration

In compliance with a legal obligation and legitimate interest

What types of personal data do we handle?

We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts, promote our services and to support and manage our employees. We also process personal information about healthcare professionals that deliver services within Benenden Hospital Trust.

The types of personal information we use include:

  • Personal identity - such as title, name, marital status, date of birth, National Insurance number
  • Contact details - such as addresses, telephone & mobile numbers, email address
  • Family details – such as next of kin details, relationships to next of kin
  • Financial details – such as bank sort code/ account number, Payment card number, payroll, tax information
  • Employment details – such as salary, annual leave, pension, benefits, discipline and grievance, performance data, occupational health data and security clearance data
  • Education and training details of staff and consultants - such as Training records, Qualification verification
  • Details held in the patient’s record, where we hold or manage the patient’s record – such as NHS Number, GP Details
  • Lifestyle and social circumstances – such as questions about smoking, drinking and general lifestyle
  • CCTV images – for providing security monitoring of the grounds and hospital, internal employment processes and training
  • Responses to surveys where individuals have responded to surveys about issues
  • IP address and Browser settings collected in order to better serve advertising to individuals.

We also process special category of information for patients, staff and consultants, that may include:

  • Racial and ethnic origin
  • Religious or philosophical beliefs
  • Trade union membership
  • Data concerning health
  • Genetic data
  • Biometric data
  • Data concerning a person’s sex life or sexual orientation
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences
  • Employment tribunal applications, complaints, accidents, and incident details.

How will we use information about you?

Your information is used to run and improve Benenden Hospital Trust. In respect of our patients, their data may be used to:

  • Register anyone who may be interested in our treatments and services onto our Customer Relationship Management system
  • Register all patients onto our Patient Administration System
  • Register new referrals for existing patients on our systems, update demographic details and health records with new referral details
  • Return or report on a phone call made to us via the online call-back system via our website
  • Book a private GP appointment through our website using our online booking tool
  • Record telephone calls made to the hospital patient appointments department in relation to appointment enquiries
  • Allow the preparation of health record folder (notes) for the patient
  • Investigate complaints, legal claims or important incidents
  • Make sure services are planned to meet patients’ needs in the future
  • Check and report on how effective Benenden Hospital Trust and the services it commissions has been
  • Display on LCD TV screens within patient waiting areas, as a means to notify you, your name and the consultant you are visiting
  • Display on LCD TV screens in nurse stations within the Inpatient Wards
  • Undertake virtual consultations, via video conferencing or telephone. Your discussions with the consultant or recordings of any consultations will form a part of your health record and will afford the same protection as a physical health record
  • Create operation notes and letters for communicating outcomes with your GP
  • Ensure correct patient information at all times by using your name on identity bracelets, if you are admitted as an inpatient. If you are unable to clearly identify yourself a band maybe used in cases of outpatients
  • Ordering medical devices, such as hip and knee prosthetics for surgical procedures
  • Help patients to make informed choices for treatment by processing anonymised statistical information on private hospital performance
  • To address customer service enquiries made via the website
  • If you request to meet with a chaplain, we may share your name with them.

We may keep your information in a written form or on a computer. Whenever possible all information that identifies you will be removed.

For our staff, contractors, consultants, clinical agency staff, vendors and suppliers personal data may be used to:

  • Verify employment history, qualifications and experience
  • Validate ‘right to work’
  • Assess suitability for employment during selection process
  • Personal development of employees
  • Payroll
  • NI and tax accounting
  • Disciplinary and grievances
  • Undertake due diligence and risk assessment of supply chain

Compucare Patient Administration System

Benenden Hospital Trust is the data controller for the Compucare Patient Administration System. This system holds personal details of all patients that have been either referred by Benenden Health Society, referred by a GP via the NHS e-Referrals system or as a private patient that has attended and subsequently discharged.

The information held on this system is used primarily for the purpose of administering healthcare services, it may however be used for other non-health related purposes and shared with statutory bodies/organisations to enable them to fulfil their statutory obligations. ‘Non-health related purposes’ relate to processing such as contracted reporting to the Private Hospitals Information Network (PHIN) using pseudonymised data which allows patients to make informed choices of where they may want accept treatment. We may also use the information within the administration system for statistical analysis to see how the hospital itself is performing with respect to business targets and objectives.

The information will only be shared with other organisations where there is a statutory obligation to do so, or with the agreement of the Benenden Hospital Trust, Caldicott Guardian and the Data Protection Officer. A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service user information and enabling appropriate information-sharing.

My Benenden Hospital Rewards

Benenden Hospital Trust is the administrator of the My Benenden Hospital Rewards loyalty scheme, provided by the platform.

By enrolling in the Scheme, Participants agree to the collection, use and disclosure of their personal data by Benenden Hospital, My Benenden Hospital Rewards and It is recommended that Participants read the privacy information.

The information held on the platform is used for the purpose of administering My Benenden Hospital Rewards, including sending emails relating to a participant’s loyalty scheme account (Transactional emails). Participants can consent to receive promotional offers (Marketing emails) by ticking the Marketing opt-in box on the Join Form and may opt out of Marketing emails at any time by clicking the Unsubscribe link in any Scheme email.

What personal data does My Benenden Hospital Rewards collect?

We collect the following information from you:

  • Personal identity – your first name and last name
  • Contact details – your email address

Sharing your information

We may disclose your personal information for a number of reasons (to the extent necessary). This can be due to:

  • Our obligation to comply with current UK legislation
  • Our duty to comply with a court order
  • A contractual commitment to report statutory information
  • Providing us with your consent to the disclosure of your data

In fulfilling our obligation to provide healthcare services we may share your data with the following organisations:

  • Benenden Healthcare Society
  • National Health Service (NHS)
  • NHS General Practitioners (your Doctor)
  • Specialist consultants
  • Imaging Exchange Portal (IEP - a web-based portal used to allow sharing of scan images between healthcare trusts/organisations)
  • National Joint Registry(NJR)
  • PHIN (Private Healthcare Information Network)
  • Contracted 3rd parties providing medical services or devices
  • Healthcare insurance providers
  • Pathology laboratories
  • Where we are required to do so by law
  • In the event that sharing your data will ultimately benefit you as the data subject.

National Data Opt-out Policy

Benenden Hospital fully complies with the NHS National Data Opt-out policy. National Data opt-out allows NHS Patients to opt-out of their personal sensitive data to be processed (used) for purposes beyond their direct care, namely research.

Sharing your information outside of the EEA

We may from time to time be required to share your information with other service providers who are outside of UK and the EU. The sharing of your information with these providers is necessary in order to provide the necessary medical device or service. The transfer of personal data internationally will be conducted with the appropriate legal mechanisms in place.

How long will we keep your data for?

We will keep your personal information in accordance with our Retention Policy and for as long as is lawfully necessary to conduct our business with you, and/ or in accordance with our legal obligations for data retention.

If you are treated at this hospital, we will create an adult patient health record for you. This Patient health record is kept for 8 years following the last treatment provided.

If you make a query via the hospital website, we ask for your name, email address and if you are a member of Benenden Healthcare Society. We will retain this information for a period of no longer than 1 year. It will be kept for this period in case of any further enquiries and/or complaints.

What rights do I have regarding your use of my information?

You have the following rights in relation to the personal data that we hold on you:

  • You have a right to make a subject access request
  • You have the right to rectify/amend your personal information if it is incorrectly recorded. Accounting for the purposes of processing you have the right to have incomplete personal data completed, including by means of providing a supplementary statement
  • You may have the right for your personal data to be deleted
  • You have the right to restrict the processing of your data, if you believe that the personal data being processed is inaccurate or is being processed unlawfully
  • You may have the right to data portability. This is the transfer of your data to another data controller, where you have provided your consent and the processing is carried out by automatic means
  • You have the right to make an objection to the processing of your personal data relating to your particular situation, at any time, based on processing of data in the public interest or for the purposes of legitimate interests pursued by Benenden Hospital Trust
  • Where personal data is processed for marketing purposes you have the right to object to the processing of your personal data and to withdraw your consent, at any time, to direct marketing.

How to make a Subject Access Request (SAR)

If you would like to make a SAR, please contact us on You'll be required to complete a SAR consent form which will be sent to you on your request.

Do I have a choice?

Providing Benenden Hospital with your personal data helps us to fulfil our contract to provide you with relevant healthcare services. When providing our services, we will have entered into a contractual agreement with either Benenden Health, the NHS, Health Insurance Providers or directly with you.

Failure to provide Benenden Hospital with your personal data may impact on the level of healthcare we can provide, it may even result in non-acceptance for healthcare treatment at Benenden Hospital. 

For staff, consultants, contractors, vendors and suppliers the restriction on processing of personal data may impact any contractual agreements in place between either party, that may result in failure to meet the contractual obligation.

Data Protection Notification

Benenden Hospital Trust is a ‘data controller’ under the DPA. Our registration Number is: Z729839X. We have notified the Information Commissioner’s Office that we process personal data and the details are publicly available from the:

Information Commissioner’s Office

Wycliffe House

Water Lane,



Changes to our privacy notice

We keep our privacy notice under regular review and we will place any updates on the Benenden Hospital webpage.

Complaints about how we process your personal information.

In the first instance, you should contact the Data Protection Officer on the details below:

Deborah Topping

Telephone: 07712 897211


Office hours are from 9am to 5pm.

You may also refer any complaints directly to the ICO on the contact details provided above.