Privacy Notice - How We Use Your Information

This practice keeps medical records confidential and complies with the General Data Protection Regulation.

We hold your medical record so that we can provide you with safe care and treatment.

We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.

  • We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy.
  • This practice is a member of the East Devon Health federation of GP practices and works collaboratively with other member practices for the purpose of delivering the best possible healthcare to patients in east Devon. To enable us to optimise the available resources with your needs you may be referred to other member health partners for treatment and will be given access to your health record to facilitate this treatment. You have the right to opt out if you do not wish your data to be shared under this arrangement.  For more information on how we share your information with other GP practices and any other organisation who are directly involved in your care, please ask to speak to either Dr Richard Mejzner who is our Caldicott Guardian Lead, or Mrs Deborah Mitchell our Practice Manager who would be pleased to discuss any concerns and share our arrangements and Information Sharing documents with you.
  • Healthcare staff working in Accident and Emergency and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record For more information see NHS Digital or alternatively speak to your practice.
  • You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected.

Other important information about how your information is used to provide you with healthcare

Registering for NHS care

  • All patients who receive NHS care are registered on a national database. 
  • This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive. 
  • The database is held by NHS Digital a national organization which has legal responsibilities to collect NHS data.
  • More information can be found at: NHS Digital - the phone number for general enquires at 0300 303 5678

Identifying patients who might be at risk of certain diseases

  • Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. 
  • This means we can offer patients additional care or support as early as possible. 
  • This process will involve linking information from your GP record with information from other health or social care services you have used. 
  • Information which identifies you will only be seen by this practice.
  • For more speak to the practice.


  • Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm.
  • These circumstances are rare.
  • We do not need your consent or agreement to do this.
  • Please see our local policies for more information.

e-Consult - Consulting your doctor online

  • We use e-Consult an online tool where you can get advice and treatment or get self-help.
  • e-Consult are a third party organisation and by using this tool you are submitting your information to them.  This information is then submitted to our practice for review by our GPs.
  • The e-Consult privacy notice can be found here

Not a patient but perhaps a relative, friend, next of kin or otherwise have an involvement with a patient?

It is possible that we also hold information on you as part of someone else’s record.  The nature of the information held about you will depend on the circumstances that the information was collected for.  For instance if you have been named as patient Next of Kin we will hold your name and a means of contacting you such as a phone number or address.

Under Data Protection law you will be entitled to receive a copy of this information unless there is good reason not to provide it.

Population Health Analytics

As well as using your  information to support the delivery of care to you, your data may  be used to help improve the way  health and social care is delivered to patients and service users throughout Devon using Population Health Management methods. We will only use a pseudonomised extract (ie not identifiable information) which will be sent securely to NHS Devon Clinical Commissioning Group (CCG) and in partnership with Optum,  who have been appointed to provide  technical assistance to NHS Devon Clinical Commission Group,  use the information to support the Devon Integrated Care System to improve short term and medium-term health outcomes for local populations. Please note that at no time will patient identifiable data be used in the delivery of this programme. Patients who have a “type 1” opt- out, will be excluded from this programme and will not have their data extracted for this purpose.

Further information about Population Health Management can be found here . We will rely on Public interest task as the legal basis for processing your data for this purpose.

Recording of Telephone Calls

The surgery records all telephone calls to protect patients and staff and other health workers. Patients are protected by our having a record of our conversations with you, staff and other health workers are protected from potential abuse. All calls to and from the surgery are recorded. We also occasionally use recordings for staff training and quality control.

AccuRx – Patient Communication for Healthcare Professionals

AccuRx are an NHS Digital approved supplier generally and are also NHS Digital approved specifically as a video consultation supplier. They have Data Security and Protection Toolkit assurance (ODS code: 8JT17) and Cyber Essentials Plus certification.

AccuRx are used to facilitate text messaging and video consultations –– your name and mobile telephone number are shared for purposes of arranging video consultations, sending appointment reminder messages, links to specific healthcare advice and recall requests.

AccuBook is used specifically and only for booking Covid-19 Vaccination appointments.

Away from my Desk

The practice has 2 licences for Away From My Desk which allows senior employees to connect to their work computer remotely from their personal device in order to work from home.  The practice ensures staff have completed Information Governance, Data Security and Data Protection training and follow strict protocols.  There are full audit trails regarding usage.

Away from my Desk has achieved the Cyber Essentials scheme credentials and complies with the strict NHS Guidelines originally set out in the IG Toolkit.


The practice may use volunteers to help with the administering of the Covid and Flu Vaccines and the data input into medical records of the Covid and Flu vaccines.

General Practice Data for Planning and Research Collection

As well as using your information to support the delivery of care to you, your data may be used by NHS Digital to help improve the way health and social care is delivered to patients and service users throughout England. From the 1st September 2021, NHS Digital will securely extract your information to provide access to patient data to the NHS and other organisations who need to use it, to improve health and social care for everyone.

NHS Digital will primarily use your information in a way that does not identify you (your information will be pseudonymised). However, they will be able to use their software to identify you in certain circumstances, and where there is a valid legal reason to do so. NHS Digital may also share your information with third parties such as Local Authorities, primary care networks (PCNs), clinical commissioning groups (CCGs), research organisations, including universities, and pharmaceutical companies.

At the time of publication (May 2021), patients who have a “type 1” opt- out, will  be excluded from this programme and will not have their data extracted for this purpose.

Further information about GPDfPR can be found here.

We will rely on Legal Obligation (Article (6)(1)(c)), Health and Social Care (Article 9(2)(h)) and Public Health (Article (9)(2)(i)) as the legal basis for processing your data for this purpose.

Devon Wide Research Feasibility Group

The practice, along with several others across Devon works with the National Institute for Health Research South West Peninsula (NIHR SWP) to deliver and offer Clinical Trials and Research Studies to the registered population.

In addition to offering Trials and Studies, the Practice works with the NIHR SWP to carry out feasibility reports. This enables the NIHR SWP to report on behalf of the practices, the population across Devon (where practice’s have opted in), to determine whether it is feasible for a study to open, or be considered for the local region (Devon, Cornwall and Somerset). The feasibility group does not extract or access patient identifiable data and staff who undertake this work are bound by Confidentiality: NHS Code of Practice, General Data Protection Regulations 2018 and Good Clinical Practice (training for the delivery of research).

Patients who wish for their data to be excluded from the “top level” feasibility reports should request that the practice records an opt out on their record.


We are required by law to provide you with the following information about how we handle your information

Data Controller contact details

Budleigh Salterton Medical Centre
1 The Lawn, Budleigh Salterton, Devon, EX9 6LS

Dr Tania David is the Caldicott Lead

Data Protection Officer contact details

DELT:  email

Purpose of the processing

  • To give direct health or social care to individual patients. 
  • For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
  • To check and review the quality of care. (This is called audit and clinical governance).
  • Sharing of Special Patient Notes (SPN’s) with out of hours services to assist in the delivery of patient care. This includes information such as End of life status, challenging behavior, domestic circumstances and other relevant information that may influence the manner in which health care services are delivered.
  • Data is shared with other organisations to ensure that care is delivered effectively and safely to patients. 
  • Data is shared with other organisations to ensure that vulnerable patients including children are safeguarded.
  • Data will be shared with other organisations to safeguard providers of health care from harm or risk to their wellbeing.

Lawful basis for processing

These purposes are supported under the following sections of the GDPR:

  • Article 6(1)(c) “…necessary in order to protect the vital interest of the data subject or another natural person.”
  • Article 6(1)(f)”…necessary for the purpose of legitimate interest…” 
  • Article 9(2)(b) “…necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…” (specifically the safeguarding of children and vulnerable adults)
  • Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”  

Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Recipient or categories of recipients of the processed data

The data will be shared with:

  • healthcare professionals and staff in this surgery;
  • local hospitals;
  • out of hours services (specifically Devon Doctors Ltd); 
  • diagnostic and treatment centres; 
  • or other organisations involved in the provision of direct care to individual patients (ie Hospiscare and Medical Examiner Team; community nursing team; UCR
  • Organisations who help us improve our learning – data is anonymised/pseudonymised
  • NHS England
  • NHS Digital
  • Health Intelligence for Child Health Immunisation and Diabetic
  • Eye Screening

Rights to object

  • You have the right to object to information being shared between those who are providing you with direct care. 
  • This may affect the care you receive – please speak to the practice. 
  • You are not able to object to your name, address and other demographic information being sent to NHS Digital. 
  • This is necessary if you wish to be registered to receive NHS care.
  • You are not able to object when information is legitimately shared for safeguarding reasons. 
  • In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm. 
  • The information will be shared with the local safeguarding service at NHS Devon CCG

Right to access and correct

  • You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff.
  • We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Retention period

GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: NHS Digital or speak to the practice.

Right to complain

Please let us know if you are unhappy with how we have used your personal information. You can contact us at Budleigh Salterton Medical Centre, 1 The Lawn, Budleigh Salterton, Devon, EX9 6LS or contact us online

You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link or call the helpline 0303 123 1113.

Data we get from other organisations

We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.

Processing of data for the purpose of Public Protection

The practice may provide information to and receive information from other agencies for the purpose of protecting the public from individuals who may pose a risk (eg MAPPA). The practice may process this information either as a public task function or because it has a legal duty to do so.