Privacy policy

Your privacy is really important to us and we are committed to protecting your personal information.

Please note we are currently in the process of updating our privacy policy.

This policy sets out how, in our day to day activities, The Royal Marsden NHS Foundation Trust processes and stores personal information relating to our patients and users of our websites. The Royal Marsden Cancer Charity has its own privacy policy which is applicable to charity supporters and users of its website.

We have published specific information elsewhere that is related to how we process, and how you can access, your personal information.

Quick links


The Royal Marsden NHS Foundation Trust is a world-leading cancer centre specialising in cancer diagnosis, treatment, research and education.

The academic partnership with The Institute of Cancer Research (ICR) makes The Royal Marsden the largest comprehensive cancer centre in Europe with a combined staff of 4,300. Through this partnership, the Trust undertakes groundbreaking research into new cancer drug therapies and treatments. 

The Royal Marsden has two hospitals: one in Chelsea, London, and another in Sutton, Surrey, and an ‘RM@’ Medical Day Unit at Kingston Hospital. Since 2011, the Trust has also been responsible for the effective delivery of The Royal Marsden Community Services, local to its Sutton site, improving patient pathways and delivering high quality services for patients at home. 

To fulfil obligations to deliver cancer diagnosis, treatment, research, education and our community services we collect and process personal information.  In doing this The Royal Marsden NHS Foundation Trust adheres to the requirements of all applicable legislation including the General Data Protection Regulation (“GDPR”) and applies to any personal information we hold that relates to you.  

We aim to be clear about when and how we collect your information and will not to do anything with it you wouldn’t reasonably expect or which we have not made you aware of so please read this policy carefully to understand how we collect, use and store your information.

Contacting us

The Royal Marsden NHS Foundation Trust is a data controller in respect of your personal information. If you have any questions about this policy or the ways in which we may process your personal information, please contact us:

Data Protection Officer
The Royal Marsden NHS Foundation Trust
Fulham Road

Switchboard number: 0207 352 8171

What personal information do we collect?

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – keep records about your health and any care and treatment you are offered or receive.  This may include: 

  • Name, address, date of birth, phone number, and email address where you have provided it to enable us to communicate with you by email
  • Your next of kin and contact details
  • Notes and reports about your physical or mental health and any treatment, care or support you need and receive
  • Results of your tests and diagnosis, including medical imaging.
  • Relevant information from other professionals, relatives or those who care for you or know you well
  • Any contacts you have with us such as home visits or outpatient appointments
  • Information on medicines, side effects and allergies
  • Patient experience feedback and treatment outcome information you provide.

Most of your records are electronic and are held on a computer system and secure IT network. New models of service delivery are being implemented, with closer working with GPs and other healthcare and social care providers.  To assist this, the use of other electronic patient record systems to share your information will be implemented.  At the relevant point you will be given the opportunity to say no and to opt-out. Should you choose to opt-in, please note that at any point afterwards you can change your mind and opt-out by informing your GP and / or relevant health professional involved in your care.  


We also collect and store personal information relating to our volunteers. The majority of our volunteers will be the “Friends of The Royal Marsden” and volunteers of The Royal Marsden Cancer Charity. Volunteers may be involved in many of the Trust’s services, including the activities associated with individual departments and are engaged by and report to the Chairs or Heads of these departments / services, whether they are in the hospital or community settings. 

In joining as a volunteer, the Trust is required to carry out pre engagement checks which includes retaining a copy of the volunteer’s passport or another form of ID such as driving licence to confirm their identity. References are also obtained and a DBS check carried out for those volunteers who have more than incidental contact with patients or if their role involves visiting patients on any wards or departments. Sensitive data will also be collected and securely stored with regard to Occupational Health matters. 

Those who are successful in their volunteer application will receive a Volunteer Agreement from the Trust and are made aware of their responsibilities regarding confidentiality. All information obtained on application about the volunteer is stored securely with authorised access only. Information is kept up-to-date via the ‘Volunteer Engagement Checklist’. Training records of volunteers is stored locally with the relevant department lead. 

Please note that our lawful bases for processing the personal information relating to volunteers is on the grounds of legitimate interest.

Our website

When you visit our website, you may provide us with personal information such as your name, address, email address or telephone number. 

Here are some examples of when you can provide us with personal information on this website:

  • Your name
  • Your contact details
  • Your date of birth
  • Your gender
  • Your credit/debit card details
  • Your job title
  • Your employment history
  • Information on your usage of our website

Here are some examples of when you can provide us with personal information on this website:

  • When contacting us with an enquiry either via webform or email link
  • When signing up to a newsletter
  • When purchasing an event ticket
  • When giving feedback
  • When filling out a form
  • When you apply for a job with us whereby our Human Resources Department will update you on progress of your application. Please note that the Trust retains evidence of a staff member’s right to work, security documentation and successful candidates application form for six years after the staff members leaves the Trust or the 75th birthday, whichever is sooner. However there is no legislation which prescribes how long information relating to unsuccessful candidates should be retained for. The Trust approach is therefore to retain this information for 400 days after the interview date for unsuccessful candidates. 

Sensitive data

Data protection law recognises the difference between personal data and that of a more sensitive nature such as racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences. 

GDPR adds a special data category of genetic data and biometric data that is processed to uniquely identify an individual. 

As a healthcare organisation, the Trust will therefore collect sensitive data as defined above. For example:

  • When submitting a referral request
  • When submitting your story to be considered as case study. 

However we do not solely collect healthcare information. Other information will include religious information for example, to make us aware of dietary requirements or limits to treatment, or philosophical beliefs for example, patients who are vegan and therefore have requirements regarding particular medicines. 

Furthermore, as our Workforce Strategy ‘Aspiring to Excellence’ and Annual Equality Report sets out, we are committed to ensuring equality, diversity and human rights are central to the way we deliver healthcare services to our patients and how we support our staff. Every day we are working to ensure that our staff provide inclusive services to all patients, which meet their needs and are delivered with kindness, dignity and respect, irrespective of any equality characteristic such as gender, race, religion or disability status. We also want to ensure that all our staff are treated similarly with kindness, dignity and respect.  Staff and patient surveys are a key mechanism in helping us achieve this as we carefully consider their experiences and feedback to help shape our policies and culture. An equality monitoring form is also sent with all complaint acknowledgements to advise the Trust on this important area. As such, we gather, analyse, report and monitor our workforce and patients equality data by protected characteristic. The full set of equality information is detailed in the ‘Equality Information Report’.

Why do we collect and how do we use your information?

We will process your personal information fairly and lawfully by only using it if we have a lawful reason to do so. Making you aware of your rights and how your information is used is important to us and therefore we have summarised this below. 

However please note that we do not rely on consent as a legal basis for processing information that concerns your direct care.  This is because we are obliged by law to make use of your personal information and record the care and treatment we provide to you.  This is also necessary to allow us to provide you with safe and effective care.  It would not be correct to say that you have a choice as to whether or not we will use your personal information if we are going to provide you with care and treatment.  For this reason, instead of consent, we rely on specific provisions under the law, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’ 

This means we use your personal information to provide you with your direct care without seeking your consent. However, you do have the right to object to our use of your information.  We will consider your objection but if we comply with your wishes we will explain how this could have an impact on our ability to provide you with care.

While most of the information we process will be for direct healthcare purposes, please note that there are other important reasons that we may need to process your personal information. For example:

  • For private care patients we will need to process your data for the administration and obtaining payment for services provided (further details below)
  • To conduct clinical research (although any published data is anonymised)
  • Information shared with The Royal Marsden Cancer Charity and / or other relevant charities that may be supporting you with your cancer.
  • In all of the above cases we would make you aware of the processing and seek your consent on that basis. 
  • We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and / or within our legitimate interests. 

We will only use enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care.

We will keep your information accurate and up to date when using it and if it is found to be wrong, we will make it right, where appropriate, as soon as we can.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. 

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.  In addition, all records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care 2016 (the Code).The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

Details of retention periods for different aspects of your personal information are (available in our retention policy which you can request from us by contacting us).

In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

We have secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a legitimate need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Private Care patients

Whilst the above policies will apply to all Private Care (Insured, Sponsored, or Self-pay patients) patients, there are some additional data sharing requirements that we have for Private Care patients. We share personal and clinical information, for example name, address, date of birth, insurer policy number, with third parties such as private insurance companies for the assessment and approval of funding requests for private treatment at The Royal Marsden. However before any information is shared with these third parties, Private Care patients are required to complete an ‘Undertaking to Pay Form’ which details the terms and conditions of payment for Private Care which explains that personal information is processed in accordance with Data Protection legislation for the relevant purposes set out on the form. For self-funding patients we share personal and clinical information to internal and  external (GP’s, consultants and referring hospitals) clinical staff in order to determine the potential treatment costing.

Where self-funding patients would like to make payments to The Royal Marsden via SwooshTransfer, who we use to provide a cross-border payment service, then certain personal information will need to be shared by us in order to facilitate the transfer of funds. SwooshTransfer is authorised to use your personal information only as necessary to provide these services to us and only to the extent that you would like to make use of this service. 

SwooshTransfer have their own privacy and data handling policy which details how they collect, store, and protect the data that they use. Further details can be found here:
SwooshTransfer-Your most trustworthy global payment platform.


Information sharing and disclosure

Your personal information will be shared with the team who are caring for you and are providing your treatment.

NHS and other agencies, including social services and private healthcare organisations work together so we may need to share information about you, with other professionals and services involved in your care. We will only share your information in this way if we have your consent and it is considered necessary.

You have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional involved in your care who can seek advice from our Information Governance Department.  If you want to withdraw your consent to us sharing your information and this is likely to change the way you receive further care we will explain this to you so that you can make a fully informed choice.  

However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies.  In these rare circumstances we are not required to have your consent and rely on other lawful grounds to process the data for example, our legitimate interests for the purposes of improving our services and website in order to run our organisation effectively and efficiently. We may also process data where it is necessary for the performance of a contract, for example for private patients we need to process billing information. 

Other examples of this are:

  • If there is a concern that you are putting yourself at risk of serious harm
  • If there is concern that you are putting another person at risk of serious harm
  • If there is concern that you are putting a child at risk of harm
  • If we have been instructed to do so by a Court
  • Immigration authorities / relevant third parties requiring information to obtain payment for services provided to overseas visitors
  • If the information is essential for the investigation of a serious crime
  • If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
  • If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
  • If regulators use their legal powers to require us to provide them with patient information as part of any investigations they are undertaking. 

NHS Patient Survey Programme (NPSP) is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services.  We may share your contact information with an NHS approved contractor to be used for the purpose of the NPSP. Please note that no information about your care and treatment is provided to the organisation that does this survey.  

NHS Digital, on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services - we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations.

You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way. For information about how you can  Opt-Out of sharing your data with NHS Digital please click on this link.

The Royal Marsden Cancer Charity

We work closely with The Royal Marsden Cancer Charity both in managing the volunteers that help in the hospital and enabling its supporters to get updates from clinical staff about the work they help to fund. In both cases it is necessary for us to disclose information to some staff working for The Royal Marsden Cancer Charity.

Plain English explanation

This privacy notice explains why health and care organisations share information about you and how that information may be used in the Connecting your Care programme.

You can find out more about the organisations that are part of Connecting your Care on our website, along with the answers to some Frequently Asked Questions at:

The health and care professionals who look after you keep their own records in different specialist systems that contain details of any treatment or care you have received or are receiving from them. These records may be electronic, on paper or a mixture of both, and a combination of working practices and technology ensure your information is kept confidential and secure.

Connecting your Care provides health and care professionals with a secure” electronic summary view of the information that organisations want to share about you. This provides the people looking after you with important information from other services that you use, so that they can quickly assess you and make the best decision or plans about your care.

The information which health and care organisations can share about you might include the following information:

  • Details about you, such as address, contact details and next of kin
  • Any contact the health or care provider has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes/reports and assessments about your health and care
  • Details about your planned treatment and care
  • Results of investigations, such as blood tests, scans, x-rays, etc.
  • Relevant information from other health and care professionals, relatives or those who care for you
  • Care and support you may be receiving from Social Care services
  • Urgent care and NHS 111 visits/calls
  • London Ambulance Service calls.

As part of this Privacy Notice we are required by law to provide you with the following  information. To help in understanding the terms of this Notice we have provided definitions where indicated. 

1) Controller contact details

The Royal Marsden NHS Foundation Trust

2) Data Protection Officer contact details Brinda Sittapah - Company Secretary
3) Purpose of the processing (sharing)

Information will be shared in order to facilitate “direct care” that is delivered to the individual – that is, where a health or care Organisation has direct contact with a patient or service user in order to provide them with immediate care, treatment or services.

Direct Patient Care is defined as:

“ a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals' ability to function and improve their participation in life and society. It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care”. [Information: To Share or Not To Share? Dame Fiona Caldicott,  April 2013…].

4) Lawful basis for processing (sharing)

“Processing involves any operation performed on personal data, whether or not by automated means. This includes collection, use, recording, feeding it to machine learning algorithms.”


The processing (sharing) of personal data in the delivery of direct care and for providers’ administrative purposes in this organisation, and in support of direct care elsewhere, is supported under the following Article 6 and 9 conditions of the: Data Protection Act 2018/General Data Protection Regulation 2016:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h)necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

Health and social care services have a legal obligation to share information about you from their records if it is seen to be in your best interests for the purposes of your direct care.

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”.

Common Law Duty of Confidentiality”                                                      

Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or ‘case’ law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent or, in the absence of consent, a legitimising purpose.

5) The Sources of the Data and the Recipient or categories of recipients of the processed data 

Data sources

Information is shared between all the health and care organisations that are part of the Connecting your Care programme.

For the full list of organisations that are part of Connecting your Care please see our website:

Categories of recipients

Only health and care professionals in each of the defined organisations who are providing you directly with care or services can see your information.

This Privacy Notice will be reviewed and updated annually, as required, or in the event of significant change. The list of organisations that are part of Connecting your Care will be updated each time new partners join the programme. 

6) Rights to object

You have the right to object to some or all your information being processed (shared) under current data protection legislation (Article 21 the General Data Protection Regulations 2016, and the Data Protection Act 2018).

You are advised that whilst under this legislation you have the right to raise an objection, this right is not absolute in relation to health and care data being shared for for the purposes of direct care under the lawful bases for sharing as described in section 4 of this Privacy Notice.

All objections will be considered on an individual basis by the Data Controller.

The contact details for the DPO for each organisation can be found in section 2 of this Privacy Notice as displayed by each individual organisation, or on their website. 

7) Rights to access and rectification 
You have the right to see the data that is being shared about you. This is known as ‘the right of subject access’. You can make a request for this information from a provider.
If your health or care provider holds information about you, and you make a subject access request they will: 
Give you a description of it
Tell you why it is being held
Tell you who it could be shared with
Let you have a copy of the information in an intelligible form.
To make a Subject Access Request  you will need to contact your health or care provider’s Data Protection Officer in writing. The contact details for the DPO for each organisation can be found in section 2 of this Privacy Notice as displayed by each individual organisation, or on their website.
You have the right to have inaccurate personal data rectified, and in some circumstances removed. Requests to amend or delete data should be  made to the individual Data Controller via the DPO, as per the contact information in section 2 of this Privacy Notice.
Under current data protection legislation, all data controllers have a responsibility to ensure the information held about you is correct and up to date and must take all reasonable steps to correct or erase incorrect information as soon as possible. 
All requests to amend or remove information will be addressed on an individual basis by each Data Controller, however, it should be noted that, for example, information recorded by a health or care professional that is believed to be correct at the time of documentation, even when subsequently updated, is unlikely to be removed. 
There is no right to have accurate medical records deleted except when ordered by a Court of Law.
8) Rentention period Information held about you by each Data Controller  will be retained in line with the law and national guidance.
9) Right to complain


You have the right to complain about the way in which your information is used or shared, if you think the information has been shared inappropriately. Each provider will have their own complaints process and you will need to contact them directly to register a complaint.

You can find the contact details and information about how to register a complaint on each individual organisation’s website.

You can also contact the Information Commissioner’s Office via the following link  or call their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate). 



RM Partners

RM Partners has been tasked with radically restructuring the cancer care systems across west London to truly transform the model of care and improve outcomes and experience for our patients. With our partners, we are leading on the delivery of the recommendations in the NHS National Cancer Strategy.

The programme of work is overseen by three governance groups: the RM Partners Executive Group, made up of the 10 Trust chief executives, alongside commissioners and primary care leads; the Delivery Group, consisting of acute Trust chief operating officers, and the Clinical Oversight Group, which consists of clinical representatives from each of our partner Trusts and primary care leads.

As an established Cancer Alliance with a track record of delivery, we contribute to the National Cancer Programme and support other Cancer Alliances by sharing our work and learning. The aim over the coming years is to continue to deliver our vision of working in partnership to achieve world-class cancer outcomes for the population we serve. We work to reduce variation in outcomes and access, in order to further improve survival and quality of life for our population.

Our priorities are consistent with those of our constituent STPs in north west and south west London, and our work plans to deliver world class cancer services are aligned.

The Alliance accesses national datasets on Cancer Alliance patients to inform improvements to cancer patients, with the aim to decrease cancer mortality, by improving early diagnosis and survival for those patients diagnosed with cancer. This includes working to optimise patients pathways, a key measure of which is performance against the National Cancer Waiting Times standards.

The data is accesses on the following legal basis under GDPR:- article 6 - e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller and article 9 – 2j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Complaints on the use of data can be made via Information Commissioners Office :-

The Cancer Alliance RM Partners, processes data related to cancer patients who are treated or resident in West London, in addition to other regions of England for the purposes of bench marking. This is completed on the basis of improving the pathways for cancer patients, and improving the outcomes for these patients.

Your Rights 

Under certain circumstances, you have rights under information protection laws in relation to your personal information. These rights include:

  • Requesting access to your personal information.
  • Requesting correction of your personal information.
  • Requesting erasure of your personal information.
  • Objecting to processing of your personal information.
  • Requesting restriction of processing your personal information.
  • Requesting transfer of your personal information.
  • Right to withdraw consent.

If you wish to exercise any of the rights set out above, please contact us.