Privacy Notice - How We Use Your Information

This practice keeps medical records confidential and complies with the General Data Protection Regulation.

We hold your medical record so that we can provide you with safe care and treatment. 

We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you. 

  • We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy. 
  • This practice is a member of the East Devon Health federation of GP practices and works collaboratively with other member practices for the purpose of delivering the best possible healthcare to patients in east Devon. To enable us to optimise the available resources with your needs you may be referred to other member health partners for treatment and will be given access to your health record to facilitate this treatment. You have the right to opt out if you do not wish your data to be shared under this arrangement.  For more information on how we share your information with other GP practices and any other organisation who are directly involved in your care, please ask to speak to either Dr Tania Davis who is our Caldicott Guardian Lead, or Mrs Deborah Mitchell our Practice Manager who would be pleased to discuss any concerns and share our arrangements and Information Sharing documents with you.
  • Healthcare staff working in Accident and Emergency and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record. For more information see the NHS Digital website or alternatively speak to your practice. 
  • You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected. 

Other important information about how your information is used to provide you with healthcare


Registering for NHS care

  • All patients who receive NHS care are registered on a national database. 
  • This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive. 
  • The database is held by NHS Digital a national organization which has legal responsibilities to collect NHS data.
  • More information can be found on the NHS Digital website  the phone number for general enquires at 0300 303 5678

Identifying patients who might be at risk of certain diseases

  • Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. 
  • This means we can offer patients additional care or support as early as possible. 
  • This process will involve linking information from your GP record with information from other health or social care services you have used. 
  • Information which identifies you will only be seen by this practice.
  • For more speak to the practice. 


  • Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. 
  • These circumstances are rare. 
  • We do not need your consent or agreement to do this. 
  • Please see our local policies for more information.

Not a patient but perhaps a relative, friend, next of kin or otherwise have an involvement with a patient?

It is possible that we also hold information on you as part of someone else’s record.  The nature of the information held about you will depend on the circumstances that the information was collected for.  For instance if you have been named as patient Next of Kin we will hold your name and a means of contacting you such as a phone number or address.  

Under Data Protection law you will be entitled to receive a copy of this information unless there is good reason not to provide it. 


Child Health Information Service

Purpose – South, Central and West Child Health Information Services (SCW CHIS) is commissioned by NHS England to support the monitoring of care delivered to children. Personal data is collected from the child’s GP record to enable health screening, physical examination and vaccination services to be monitored to ensure that every child has access to all relevant health interventions.

For more information please see Fair Processing Notice Child Health Information Services - NHS SCW Support and Transformation for Health and Care 

Legal Basis – Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”

Processor – SCW, Apollo Medical Software Solutions, System C


Population Health Analytics

As well as using your  information to support the delivery of care to you, your data may  be used to help improve the way  health and social care is delivered to patients and service users throughout Devon using Population Health Management methods. We will only use a pseudonomised extract (ie not identifiable information) which will be sent securely to Devon ICB and in partnership with Optum,  who have been appointed to provide  technical assistance to  Devon ICB,  use the information to support the Devon Integrated Care System to improve short term and medium-term health outcomes for local populations. Please note that at no time will patient identifiable data be used in the delivery of this programme. Patients who have a National Data Opt Out, will be excluded from this programme and will not have their data extracted for this purpose.  

Further information about Population Health Management can be found on the NHS England website. We will rely on Public interest task as the legal basis for processing your data for this purpose.


Recording of Telephone Calls

The surgery records all telephone calls to protect patients and staff and other health workers. Patients are protected by our having a record of our conversations with you, staff and other health workers are protected from potential abuse. All calls to and from the surgery are recorded. We also occasionally use recordings for staff training and quality control.


AccuRx – Patient Communication for Healthcare Professionals

AccuRx are an NHS Digital approved supplier generally and are also NHS Digital approved specifically as a video consultation supplier. They have Data Security and Protection Toolkit assurance (ODS code: 8JT17) and Cyber Essentials Plus certification.

AccuRx are used to facilitate text messaging and video consultations –– your name and mobile telephone number are shared for purposes of arranging video consultations, sending appointment reminder messages, links to specific healthcare advice and recall requests.

AccuBook is used specifically and only for booking Covid-19 Vaccination appointments.


Away from my Desk

The practice has 2 licences for Away From My Desk which allows senior employees to connect to their work computer remotely from their personal device in order to work from home.  The practice ensures staff have completed Information Governance, Data Security and Data Protection training and follow strict protocols.  There are full audit trails regarding usage.

Away from my Desk has achieved the Cyber Essentials scheme credentials and complies with the strict NHS Guidelines originally set out in the IG Toolkit.



The practice may use trained volunteers (ie doctors, nurses, students not employed by the practice etc ) to help with the administering of the Covid and Flu Vaccines and the data input into medical records of the Covid and Flu vaccines.


Devon Wide Research Feasibility Group

The practice, along with several others across Devon works with the National Institute for Health Research South West Peninsula (NIHR SWP) to deliver and offer Clinical Trials and Research Studies to the registered population.

In addition to offering Trials and Studies, the Practice works with the NIHR SWP to carry out feasibility reports. This enables the NIHR SWP to report on behalf of the practices, the population across Devon (where practice’s have opted in), to determine whether it is feasible for a study to open, or be considered for the local region (Devon, Cornwall and Somerset). The feasibility group does not extract or access patient identifiable data and staff who undertake this work are bound by Confidentiality: NHS Code of Practice, General Data Protection Regulations 2018 and Good Clinical Practice (training for the delivery of research).

Patients who wish for their data to be excluded from the “top level” feasibility reports should request that the practice records an opt out on their record.



Thrive Tribe have been commissioned by Devon ICB to provide help support the delivery of SMI Annual Physical Health Checks by increasing capacity within Primary Care.

The aim of the Service is to identify and invite eligible patients who have been diagnosed with a severe mental illness (SMI) to attend their annual physical health check.

In order to facilitate this, Thrive Tribe will need access to GP systems to be able to access the information needed to identify and contact eligible patients via phone, text, letter or email. Therefore, without access to this data, we will not be able to offer this service to GP Practices.  A Data Sharing Agreement and DPIA is in place. 


Care Home Project

The Care Homes Frailty team are contracted by WEB PCN to deliver the requirements of the Enhanced Health in Care Homes element of the Contract Network Direct Enhanced Service (DES) for all WEB PCN practices.

The project supports care home residents in receiving enhanced care and provides health and wellbeing reviews, individual care planning and specialist support by a multi-disciplinary team.

OTs and care co-ordinators will have read/write access to the clinical system. They will be expected only to access the records of the patients referred to them directly or added to their appointment clinic by the practice staff.  A Data Sharing Agreement and DPIA is in place. 


Summary Care Record (SCR)

NHS England have implemented the SCR which contains information about you; including your name, address, data of birth, NHS number, medication you are taking and any bad reactions to medication that you have had in the past. This information is automatically extracted from your records and uploaded onto a central system.

Many patients who are seen outside of their GP Practice are understandably not able to provide a full account of their care or may not be in a position to do so. The SCR means patients do not have to repeat their medical history at every care setting and the healthcare professional they are seeing is able to access their SCR. The SCR can only be viewed within the NHS on NHS smartcard-controlled screens or by organisations, such as pharmacies, contracted to the NHS.

As well as this basic record, additional information will also be added to include further information. You can find out more about the SCR on the NHS Digital website



We share your record using GP Connect to make sure that, whether you are visiting the practice, attending hospital, or being seen in the community or at home by a care professional, everyone knows the care you need and how you want to be treated. Your electronic health record is available to local providers who are involved in your care. This includes the sharing of, personal contact details, diagnosis, medications, allergies and test results. Your records will be treated with the strictest confidence and can only be viewed if you use their service.

Please note that if you have previously dissented (opted-out) to sharing your records, this decision will be upheld.

Should you wish to opt-out of, please speak to [Insert Contact Details/Employee role] who will be able to update your personal preferences. Please note that by opting out of this sharing, other health professionals may not be able to see important medical information, which may impact on the care you receive.


Devon and Cornwall Care Record

Health and social care services in Devon and Cornwall have developed a system to share patient data efficiently and quickly and, ultimately, improve the care you receive.  This shared system is called the Devon and Cornwall Care Record.

It’s important that anyone treating you has access to your shared record so they have all the information they need to care for you. This applies to your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an out-of-hours appointment.

It’s also quicker for staff to access a shared record than to try to contact other staff by phone or email.

Only authorised staff can access the Devon and Cornwall Care Record and the information they see is carefully checked so that it relates to their job. Also, systems do not share all your data – just data that services have agreed is necessary to include.



The objective is to improve the efficiency of social prescribing, an initiative designed to improve the mental health and wellbeing of patients by connecting them to non-medical interventions such as exercise groups and activities.

Patients referred to the Social Prescribing Service will also be provided with information regarding the use of Joy App.


We are required by law to provide you with the following information about how we handle your information

Data Controller contact details

Budleigh Salterton Medical Centre
1 The Lawn, Budleigh Salterton, Devon, EX9 6LS

Dr Tania Davis is the Caldicott Lead

Data Protection Officer contact details DELT email  
Purpose of the processing
  • To give direct health or social care to individual patients. 
  • For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
  • To check and review the quality of care. (This is called audit and clinical governance).
  • Sharing of Special Patient Notes (SPN’s) with out of hours services to assist in the delivery of patient care. This includes information such as End of life status, challenging behavior, domestic circumstances and other relevant information that may influence the manner in which health care services are delivered.
  • Data is shared with other organisations to ensure that care is delivered effectively and safely to patients. 
  • Data is shared with other organisations to ensure that vulnerable patients including children are safeguarded. Data will be shared with other organisations to safeguard providers of health care from harm or risk to their wellbeing.
Lawful basis for processing

These purposes are supported under the following sections of the GDPR:
Article 6(1)(c) “…necessary in order to protect the vital interest of the data subject or another natural person.”

Article 6(1)(f)”…necessary for the purpose of legitimate interest…” 

Article 9(2)(b) “…necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…” (specifically the safeguarding of children and vulnerable adults)
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”  

Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Recipient or categories of recipients of the processed data

The data will be shared with: 

  • healthcare professionals and staff in this surgery;
  • local hospitals;
  • out of hours services (specifically Devon Doctors Ltd); 
  • diagnostic and treatment centres; 
  • or other organisations involved in the provision of direct care to individual patients (ie Hospiscare and Medical Examiner Team; community nursing team; UCR
  • Organisations who help us improve our learning – data is anonymised/pseudonymised
  • NHS England
  • NHS Digital
  • Health Intelligence for Child Health Immunisation and Diabetic
  • Eye Screening
Rights to object
  • You have the right to object to information being shared between those who are providing you with direct care. 
  • This may affect the care you receive – please speak to the practice. 
  • You are not able to object to your name, address and other demographic information being sent to NHS Digital. 
  • This is necessary if you wish to be registered to receive NHS care.
  • You are not able to object when information is legitimately shared for safeguarding reasons. 
  • In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm. 
  • The information will be shared with the local safeguarding service at NHS Devon CCG
Right to access and correct
  • You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff.
  • We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
Retention period GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found on the NHS England website
Right to complain

Please let us know if you are unhappy with how we have used your personal information. You can contact us at Budleigh Salterton Medical Centre, 1 The Lawn, Budleigh Salterton, Devon, EX9 6LS or via our secure online form

You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link or call the helpline 0303 123 1113

Data we get from other organisations We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.
Processing of data for the purpose of Public Protection  The practice may provide information to and receive information from other agencies for the purpose of protecting the public from individuals who may pose a risk (eg MAPPA). The practice may process this information either as a public task function or because it has a legal duty to do so. Further information including the other agencies involved in the data sharing can be found here